Category Archives: Employee Privacy

November 3, 2021

Making Room for Vaccinated, Unvaccinated Employees Under Same Roof

by Steven Gutierrez

Steve Gutierrez

Question: We aren’t sure we want to permit someone who isn’t vaccinated to work closely with us and are particularly concerned because the unvaccinated employee is sitting next to an enclosed area with a fully vaccinated individual who has an immunocompromised infant. How do we protect the vaccinated employee and her infant when we cannot say who is/is not vaccinated because of the Health Insurance Portability and Accountability Act (HIPAA)?

Answer: These are good questions to ask and should be part of the interactive process with the unvaccinated employee to see if there’s a reasonable accommodation that doesn’t pose an undue hardship. Additionally, under the present circumstances, the unvaccinated employee may be considered a “direct threat” that cannot be eliminated or reduced by reasonable accommodation. Read more >>

July 17, 2018

New Colorado Data Privacy Requirements Apply to Employers

Dustin Berger

By Dustin D. Berger

Organizations that employ workers in Colorado will soon face more stringent data privacy requirements, thanks to new legislation signed into law by Governor Hickenlooper at the end of May. This new law, HB 18-1128, imposes new obligations on all covered entities in the state that maintain documents that contain personal identifying information of Colorado residents. These obligations go into effect on September 1, 2018. Here are the highlights of the new requirements and steps employers should take to comply.

Practically All Employers Will Be Affected by the New Law

The new law applies to a “covered entity,” which is essentially defined as any individual or entity “that maintains, owns, or licenses personal identifying information”—regardless of how much business the covered entity does within Colorado. The statute defines “personal identifying information” as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.”

Because virtually all employers maintain information on their employees that is considered personal identifying information, such as social security numbers, employer identification numbers, passport numbers, or driver’s license numbers, employers with Colorado employees will be subject to the requirements of the new law.

The key provisions in the new law are its requirements that covered entities: (1) maintain reasonable security procedures and practices; (2) establish and follow a written policy for the destruction of personal information when it is no longer needed; (3) ensure that third-party service providers handling their personal information have implemented and maintained reasonable security procedures and practices; and (4) follow the law’s notification procedures when it becomes aware that a security breach “may have” occurred.

1.         Reasonable Security Procedures and Practices

HB 18-1128 creates a new statutory section, C.R.S. § 6-1-713.5, that requires covered entities to implement and maintain reasonable security procedures and practices to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction. While not specifying exactly what type of security procedures are required, the new provision states that such procedures must be appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.

If a covered entity discloses personal identifying information to a third-party service provider, it must require that the service provider implement and maintain reasonable security procedures and practices, as outlined in number 3 below. 

2.         Disposal of Documents Containing Personal Identifying Information

Colorado has had a statute governing the disposal of documents containing personal identifying information since 2004, but the new legislation amends C.R.S. § 6-1-713 to expand covered entities’ responsibilities with respect to personal identifying information. Now, the disposal requirements apply to documents that are kept electronically as well as those kept in paper form. The new law also requires that covered entities implement a written policy specifying that the entity shall destroy (or arrange for destruction of) the documents by making the information unreadable or completely indecipherable.

3.         Ensure Third-Party Service Providers Have Reasonable Security Procedures

If a covered entity discloses personal identifying information to a third-party service provider, the covered entity must now require the service provider implement and maintain reasonable security procedures and practices that are reasonably designed to help protect the information from unauthorized access, use, modification, disclosure, or destruction, as appropriate to the nature of the information disclosed to the service provider. A third-party service provider is defined as an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.

4.          Security Breach Notification Requirements Enhanced

The new law significantly amends Colorado’s statute governing notifications of a security breach, C.R.S. § 6-1-716. A “security breach” is defined, in relevant part, as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.

Under the new provisions, a covered entity has no more than 30 days to provide notice of a security breach. Notice must be made to affected Colorado residents in a very specific manner including notice by mail, telephone, electronically, or by substitute notice, and must contain a myriad of information regarding the breach and options that are available to the affected person. If a breach is reasonably believed to have affected 500 Colorado residents or more, the entity also must provide notice of the breach to the Colorado Attorney General.

And, unlike the previous law, the 30-day period begins to run when the covered entity becomes aware that a “security breach may have occurred.” In the prior version of the law, the 30-day period did not begin to run until the covered entity became aware of a breach. This change is likely to increase the pressure on covered entities to timely respond to indicators and predictors of a security breach. 

Sanctions 

Employers who violate the law can face enforcement proceedings from the Colorado Attorney General or the district attorneys of the state. These proceedings can result in civil penalties of up to $2,000 per affected person, up to a maximum of $500,000 per incident. They also can be liable directly to affected persons who are harmed by the violation.

Steps for Employers to Take

The new data security requirements go into effect on September 1, 2018, so employers who maintain personal identifying information on Colorado residents have little time to prepare to comply. Steps to take include:

  • Develop and implement reasonable practices designed to protect personal identifying information from unauthorized access, use, or disclosure (e.g., password-protection, encryption, etc.) that are commensurate with the sensitivity of the personal identifying information.
  • Create a written policy regarding the destruction and disposal of paper and electronic documents containing personal identifying information.
  • Review agreements with third-party service providers to ensure that service providers have reasonable procedures to protect the security of personal identifying information provided to them.
  • If you have a security incident response plan, update it to reflect the changes in the law.
  • If you do not have a security incident response plan, prepare one to ensure that you can meet the new law’s notification requirements.

March 25, 2014

2014 Wyoming Legislature Keeps Status Quo, But Changes On The Horizon?

By Brad Cave

The 2014 session of the Wyoming Legislature did not pass any significant employment legislation, but the Legislature’s actions on some of the measures it did consider could portend a much more interesting 2015 legislative session. 

Independent Contractors.  The issue of independent contractors garnered the most legislative attention of any employment issue in the 2014 session.  In February, we reported on House Bill 16 which would have created misdemeanor criminal penalties for “knowingly failing to properly classify an individual as an employee” leading to a reduction in unemployment contributions or workers compensation premiums or benefits. (A companion measure, Senate File 112, was introduced in the Senate but failed to get sufficient votes for introduction.)  This measure was sponsored by the Joint Corporations, Elections and Political Subdivisions Interim Committee.   Although it failed to garner the two-thirds vote required for introduction during a budget session, a majority of the representatives in the House voted in favor introduction in the 32-26 vote.  This bill may rear its ugly head again in the 2015 general session, where introduction requires only a majority vote. 

On the bright side of the independent contractor issue, Senate File 96 proposed an amendment that would have relaxed the definition of independent contractor in the unemployment and workers compensation statutes.  Those two identical definitions currently require that a person classified as an independent contractor meet three requirements: 

  • The person is free from control or direction over the details of the performance of services by contract and by fact;
  • The person represents his services to the public as a self-employed individual or an independent contractor; and,
  • The person may substitute another individual to perform his services. 

These three factors have always been part of the commonly accepted definition of an independent contractor, as recognized by courts, other statutes and the Internal Revenue Service.  But courts and the IRS weigh these and several other factors, without any single factor or group of factors controlling the determination.  This approach permits employers to fashion independent contractor relationships under a variety of circumstances.  Because of the “and” between the second and third factor, the Wyoming definition requires employers to meet all three of these factors, regardless of the other circumstances surrounding the independent contractor relationship.  Add to that the fact that the second factor is wholly outside of the employer’s control, and you have a very strict and onerous definition. 

Senate File 96 would have added a second test to the unemployment and workers compensation definitions to give employers two ways to prove independent contractor status.  Under the second option, a person providing services would be properly classified as an independent contractor if the person: 

  • is free from control or direction, asserted directly by the person or entity contracting for the services, over the details of the performance of services by contract and by fact; and,
  • has substantial investment used in connection with the performance of the services.  The investment may include physical assets, financial assets, education, experience, intellectual property or any combination of these factors. 

This proposed change would obviously open the door to a broader range of independent contractor relationships, and recognize the importance and prevalence of the sole proprietor independent contractor, particularly in technology services.  

Senate File 96 passed the Senate with strong support, but the House defeated the measure by a vote of 54 to 6.   Reasons for its demise may include timing – it was brought to the floor of the House on the last day for the entire House to consider new measures.  Also, there may have been some confusion about whether the changes would be consistent with the IRS definitions of independent contractors and other statutory definitions.  Because the House had little or no time to resolve these questions, the measure died.  We encourage the Legislature to address this topic again next session. 

Employer Access to Social Media Accounts.   The surprise proposal of the session was Senate File 81, which would have put Wyoming on the bandwagon of other states which are restricting employer access to employees’ social media accounts.  This proposal would have amended the Wyoming Fair Employment Practices Act to make it an unfair employment practice for employers to “request or require” any employee or applicant to disclose any username, password or other method of accessing personal social medial accounts.  Social media accounts was broadly defined under the proposal, to include videos, images, blogs, podcasts, instant and text messages, email, internet websites or locations and other online services or accounts.  

The measure included exceptions to the general restrictions for (1) access to employer social media accounts used for the employer’s business purposes; (2) when personal social media is reasonably believed to be relevant to an investigation of allegation of employee misconduct or violation of laws or regulations, if access is limited to the investigation or a related proceeding; (3) when conducting an investigation of an employee’s social media when required to comply with the requirements of state or federal law, or the rules of a self-regulating organization; or, (4) when an applicant applies for law enforcement employment. 

Senate File 81 flew through the Senate with strong support, and started strong in the House, but was then defeated by a House vote of 36-16. 

Our experience suggests that this is a solution in search of a problem.  The huge majority of employers already avoid efforts to access employees’ social media because learning such information can cause all sorts of headaches for employers.  In fact, employers usually learn about employees’ social media content when employees report to the employer some other employee’s bad behavior as described on social media, and usually expect the employer to do something about it.  Although the exception for investigation-related access is helpful, even that language forces employers to couch their requests in terms that will simply raise the stakes of workplace situations. 

Wyoming employers should pay attention next session to see if the Legislature takes up this topic. 

Misconduct Disqualifications from Unemployment Benefits.  Senate File 76 added a new definition of misconduct to the unemployment compensation statute to outline the circumstances under which a former employee may be disqualified from unemployment benefits.  It was signed by Governor Mead on March 10, 2014, and will become effective on July 1, 2014. 

The unemployment compensation statute already states that an employee will be disqualified from benefits if the Department of Workforce Services finds that the employee was discharged for “misconduct connected with his work”  but does not define that phrase.  To fill the gap, several years ago the Wyoming Supreme Court adopted a definition that required a showing of an act of the employee that indicated a disregard of the employer’s interests or the commonly accepted duties, obligations and responsibilities of an employee, to include carelessness or negligence of such a degree or recurrence as to reveal willful intent or intentional disregard of the employer’s interests or the employee’s duties and obligations.  Violation of company policies or rules could qualify as misconduct under the court’s definition, provided the employee acted intentionally.  The court’s definition also provided that inefficiency, failure of good performance due to incapacity or inability, ordinary negligence or good faith errors in judgment were not adequate to disqualify an employee. 

The new definition of “misconduct connected with work” seems to adopt much of the Wyoming Supreme Court’s interpretation of the phrase.  The phrase is now defined as “an act of an employee which indicates an intentional disregard of the employer’s interests or the commonly accepted duties, obligations and responsibilities of an employee.”  The amendment also excludes from the definition of misconduct, (1) ordinary negligence in isolated instances; (2) good faith errors in judgment and discretion, and (3) inefficiency or failure in good performance as the result of inability or incapacity. 

Because the new statutory definition is very similar to the definition the Supreme Court has used for years, we will need to see how the definition is applied by the Department and the courts to determine whether the misconduct standard has changed at all through this amendment. 

Computer Trespass.  Although not an employment measure, House Bill 178 created a new criminal offense that may give employers a new tool to help prevent employee sabotage.  This measure, which passed both houses and was signed by Governor Mead, created the crime of computer trespass.  A computer trespass occurs when a person knowingly and without authorization, with the intent to damage or cause the malfunction of a computer, system or network, sends malware, data or a program which alters, damages or causes the malfunction of the computer, system or network, or causes it to disseminate sensitive information. 

The measure also created a civil remedy for computer trespass, and permits a person who suffers damage due to a trespass to sue the computer trespasser for damage to computers, systems, or networks, and the costs incurred because of the loss of use of those assets.  The person brining the action can recover the damages caused by the trespass, as well as the costs incurred to identify the trespasser and to serve a complaint on the trespasser. 

House Bill 178 was passed by both houses, and signed by Governor Mead on March 10, 2014.  The new law will become effective on July 1, 2014. 

This new law may be useful to employers if former or disgruntled employees attempt to misuse an employer’s computer systems.  Employers should adopt and periodically review technology policies that carefully define when and how employees are authorized to use the employers’ computer, systems and networks.  If an employee causes computer damage under questionable circumstances, such policies may help employers draw clear lines about when an employee’s access is unauthorized and pursue civil remedies under the statute. 

And the Rest of the Pack.  A few other employment measures never saw the light of day during the 2014 session.  House Bill 45, which would have raised the minimum wage, and House Bill 57, which would have restricted employers’ ability to restrict the post-termination value of accrued vacation, both failed to get enough votes for introduction.  

Bottom Line.  The 2015 legislative session should be interesting, with the possible return of independent contractor and social media legislation.  These are significant issues for Wyoming employers.  We will keep you posted.

Click here to print/email/pdf this article.

July 22, 2013

Myriad of Social Media Privacy Laws Create Havoc for Multi-State Employers

By Elizabeth Dunning 

ComputerDoes your company request that your employees and applicants provide user names and passwords to their personal social media accounts?  Do you require applicants to log onto their online accounts in your presence so that you can view their content?  Perhaps you ask employees to “friend” their supervisors.  If you haven’t followed new developments in state employment laws, you may not realize that such activities are unlawful in some states.  In just two years, eleven states have passed social media privacy laws that prevent employers from accessing employees’ and applicants’ personal online accounts.  Each state law differs in certain respects, making it difficult for multi-state employers to adopt a uniform and consistent social media policy.  To help sort things out, we highlight here the primary differences in the state social media privacy laws. 

States with Workplace Social Media or Internet Privacy Laws 

The eleven states that have enacted social media or internet privacy laws affecting employers to-date are:  Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington.  All but one of these states protect the access information for both current and prospective employees, with New Mexico only protecting the log-in information of applicants. 

Differences in State Social Media Laws 

Generally, all of these states prohibit an employer from requesting or requiring an employee or applicant to disclose his or her user name, password or other means of accessing his or her personal social media accounts. Many of these states also make it unlawful to discipline, discharge, discriminate against or penalize an employee, or fail to hire an applicant who refuses to disclose his or her access information to personal social media accounts.  However, that’s where the uniformity in the laws generally ends.  The following chart highlights numerous key differences between the state laws. 

Legal Provision

States Recognizing Provision

Prohibits employers from requesting that employee add employer representative or another employee to his or her list of contacts (e.g., “friend”)

Arkansas, Colorado, Oregon and Washington

Prohibits employers from requesting employee to access his or her personal social media account in the presence of the employer (“shoulder surfing”)

California, Michigan, Oregon and Washington

Prohibits employers from requesting employee to change the privacy settings on his or her personal social media accounts

Arkansas, Colorado and Washington

Specifically permits employers to view and access social media accounts that are publicly available

Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah

Exception when access required to comply with laws or regulations of self-regulatory organizations

Arkansas, Nevada, Oregon and Washington

Exception for investigations of employee violation of law or employee misconduct

Arkansas, California, Michigan, Oregon, Utah and Washington (Colorado and Maryland limit this exception to investigation of securities or financial law compliance)

Exception for investigation of unauthorized downloading of employer’s proprietary, confidential or financial data

Colorado, Maryland, Michigan, Utah and Washington

Inadvertent acquisition of personal log-in information while monitoring employer systems not a violation but employer not permitted to use the log-in information to access personal social media accounts

Arkansas, Oregon and Washington

As you can see, the differences in the laws exceed the similarities, making it difficult for an employer operating in more than one covered state to comply with all applicable provisions.  Even the definition of covered social media accounts varies by state, creating even more inconsistencies. 

Would a Federal Law Help? 

With eleven laws in place and almost 20 additional states considering social media privacy bills, the issue seems ripe for a federal bill that would bring some uniformity to the protections offered to employees and applicants.  In February 2013, the Social Networking Online Protection Act, which offers such workplace protections, was introduced into the U.S. House of Representatives.  Unfortunately, it has languished in committee and is not expected to pass.  In addition, a federal law on the issue will likely only simplify the web of state laws if it specifically preempts state law.  Without federal preemption, we might face two sources of law on the issue, federal and state, which might muddy the waters even more.  In any event, it does not appear that a federal law will be enacted before additional states enact their own laws, leaving employers to struggle with the variances in state law. 

Best Practices for Complying with Social Media Privacy Laws 

With the vast amount of information available on social media and the increased use of social networking platforms for business purposes, it is likely that most employers will at some point need to access or review content on an employee’s or applicant’s social media account.  Perhaps it will be for an investigation of an employee who downloaded proprietary information or perhaps it will be to confirm derogatory statements about the company made by an employee.  Whatever the reason, the first step is to recognize that these laws exist and you will need to review which, if any, apply to your company and/or the employee involved.  Remember that you are generally free to access publicly available social media content.  However, if one of these state laws applies, consult with legal counsel before accessing (or requesting access to) any personal social media accounts to determine what restrictions and exceptions are applicable to your particular circumstances. 

Establish a social media policy specifying that employees are not permitted to disclose or post proprietary or confidential company information on their personal social media accounts.  Make a clear delineation between company/business-related social media accounts where you control who speaks on behalf of your organization, and personal accounts where employees do not represent the views of the company. Be careful that your social media policy does not run afoul of the National Labor Relations Act by interfering with employees’ right to discuss their wages and working conditions in a concerted manner.  Communicate your policy to your employees through normal channels, such as your employee handbook, online policy/intranet, etc. 

Train your supervisors, managers and human resources staff on these laws.  Sometimes supervisors or HR folks think it is acceptable to ask an employee to “friend” them online, or to ask for their log-in information to view pictures or other benign posts.  Despite good intentions, company representatives could get you into legal trouble so advise them of these laws and your restrictions on requesting access to personal social media accounts.

Disclaimer: This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice and are not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


Print Friendly and PDF

May 6, 2013

Colorado Restricts Employers’ Use of Credit Reports

By Mark Wiletsky 

Employers using credit reports to evaluate applicants and employees take note: Colorado recently enacted the “Employment Opportunity Act” limiting the use of credit reports in employment decisions.  In passing this law, Colorado joins eight other states–California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington–in restricting employers from obtaining and/or using credit history information when evaluating applicants and employees.   The new Colorado law exempts certain job positions from the prohibition on the use of credit reports, but the exceptions are very fact specific.  Employers need to analyze the job responsibilities of the position at issue in order to determine if they may use credit information under this new law. 

Prohibition on the Use of Consumer Credit Information for Employment Purposes 

Effective July 1, 2013, section 8-2-126 of the Colorado Revised Statutes provides that an employer shall not use consumer credit information for employment purposes unless the credit information is substantially related to the employee’s current or potential job.  This means that Colorado employers are prohibited from using credit information in the employment context except in those limited situations where credit or financial responsibility is substantially related to the job.  The type of information prohibited under this law includes any written, oral or other communication of information that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.  This includes a credit score, but does not include the name, address or date of birth of an employee associated with a social security number. 

“Substantially Related” Analysis Looks to Job Responsibilities 

When determining whether a particular position falls within the exception where credit information is “substantially related to the employee’s current or potential job,” employers may not rely on an informal, best-guess determination.  Instead, employers must carefully analyze whether the job in question meets the parameters detailed in the new law.  

Under Colorado’s law, “substantially related to the employee’s current or potential job” is defined to apply to positions that: 

1)         Constitute executive or management personnel or officers or employees who constitute professional staff to executive and management personnel, and the position involves one or more of the following: 

                A)    Setting the direction or control of a business, division, unit or an agency of a business;

                B)    A fiduciary responsibility to the employer;

                C)    Access to customers’, employees’, or the employer’s personal or financial information (other than information ordinarily provided in a retail transaction); or

                D)    The authority to issue payments, collect debts or enter into contracts; OR 

2)         Involves contracts with defense, intelligence, national security or space agencies of the federal government.

Consider this example:  you are hiring a human resource specialist who will administer employee benefits within your company.  May you obtain and use a credit report on applicants for this position?  Assuming this position does not involve federal defense, intelligence, national security or space agency contracts, you first must determine if this position is an executive or management position, or alternatively, if this position is considered professional staff to an executive or manager.  In our example, the employee benefits specialist position may or may not be an executive or management position at your company.  If not, the position may be considered professional staff to an executive or manager if the position reports to an HR Director, Vice President or other similar high level manager or officer.  If we assume this position meets this threshold determination, you next must analyze if the position involves one or more of the four areas of responsibilities where credit information will be deemed substantially related.  Because an employee benefits specialist is likely to have access to employees’ personal and perhaps financial information, it appears to fall within the third area of responsibility where credit information will be deemed substantially related to the job, but the answer is certainly not clear-cut.

Requesting Employee Consent to Obtain a Credit Report  

In addition to the prohibition on the use of credit information for employment purposes, the new Colorado law prohibits employers or their agents from requiring an employee to consent to a request for a credit report that contains information about the employee’s credit score, credit account balances, payment history, savings or checking account balances, or savings or checking account numbers as a condition of employment unless: 

            1) The employer is a bank or financial institution;

            2) The report is required by law; or

3) The report is substantially related to the employee’s current or potential job andthe employer has a bona fide purpose for requesting or using information in the credit report and is disclosed in writing to the employee.   

The written disclosure requirement here is a new procedural step with which most employers meeting this exception will not be familiar.  Employers meeting these criteria now need to provide applicants/employees with a notice of their business purpose for requesting credit information.

Employee May Be Allowed to Explain Circumstances Affecting Credit 

In those cases when an employer is permitted to use credit information because it is substantially related to the job, an employer may ask the employee to explain any unusual or mitigating circumstances that affected their credit history.  For example, if the credit report shows delinquent payments, the employer may inquire further allowing the employee to explain circumstances that may have caused the delinquencies, such as an act of identity theft, medical expense, a layoff, or a death, divorce or separation.   

Adverse Action Disclosure Required 

If the employer relies on any part of the credit information to take adverse action regarding the employee or applicant, the employer must disclose that fact and the particular information relied upon to the employee.  This disclosure must be made to the employee in writing but can be made to an applicant via the same medium in which the application was made (e.g., if the application was submitted electronically, this disclosure may be sent electronically). 

FCRA Obligations Still Apply 

Employers who are permitted to obtain and use credit reports under the Colorado law must also comply with the requirements of the Fair Credit Reporting Act (FCRA) in order to obtain a credit report from a consumer reporting agency.  These additional FCRA duties include: 

1)         Providing a clear and conspicuous written disclosure to the applicant/employee before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained;

2)         Getting written authorization from the applicant/employee before obtaining the report;

3)         Certifying to the consumer reporting agency that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer's rights will be provided to the consumer;

4)         Before taking an adverse action, providing a copy of the report and a summary of FCRA consumer rights to the applicant/employee; and

5)         After an adverse action is taken, sending an adverse action notice to the employee/applicant containing certain FCRA-required statements. 

Credit Check Compliance 

Colorado employers need to review and update their background check policies as they relate to conducting credit checks on applicants and existing employees.  In addition to FCRA obligations, employers wishing to use credit reports have additional restrictions and duties under state law.   

Employers now must analyze whether each position for which they wish to obtain credit reports meets the “substantially related to the employee’s current or potential job” criteria.  If the position meets that criteria and the employer wishes to obtain a credit report on an applicant or existing employee, the employer first must provide a written disclosure to the applicant/employee describing the bona fide purpose of obtaining the credit information.  If the credit report reveals questionable or negative information, the employer may (but is not required to) ask the applicant/employee to explain any unusual circumstances that may have led to the unfavorable credit information.  If the employer rejects the applicant/employee for the position based in any way on the credit report, the employer must provide the required FCRA adverse action notices as well as a written explanation of the particular information in the report that led to the employer’s decision. 

Multi-state employers face unique challenges when obtaining and using credit reports for employment purposes as they must comply with various state laws that now restrict such use.  Given the intricacies of complying with the FCRA and applicable state laws, employers are wise to consult with their counsel to review and update their credit check policies. 

 

April 25, 2013

Tips for Complying with Utah’s Internet Employment Privacy Act

By Elizabeth Dunning

Effective May 14, 2013, Utah employers may not request employees or applicants to disclose information related to their personal Internet accounts.  The Internet Employment Privacy Act(IEPA), recently signed into law by Utah Governor Gary R. Herbert, prohibits employers from asking an employee or applicant to reveal a username or password that allows access to the individual’s personal Internet account.  In addition, employers may not penalize or discriminate against an employee or applicant for failing to disclose a username or password.  A similar restriction applies to higher educational institutions through passage of the Internet Postsecondary Institution Privacy Act. 

With enactment of the IEPA, Utah becomes the fifth state to pass legislation that limits an employer’s access to social media accounts, joining California, Illinois, Maryland and Michigan.  New Mexico passed a similar law shortly after Utah and New Jersey’s law passed the legislature and is awaiting the governor’s signature.  A bill introduced in February in the U.S. House of Representatives called the Social Networking Online Protection Act (H.R. 537) is stuck in committee. 

Public Online Accounts Are Fair Game under the IEPA 

The IEPA does not restrict or prohibit employers from viewing or using online information about employees and applicants that the employer can obtain without the employee’s username or password.  Any online information that is available to the public may be accessed and viewed by employers without violating the IEPA.  Consequently, individuals who set privacy settings on their online accounts to allow “public” access effectively opt themselves out of any protections offered by this new law. 

Utah Restriction Applies to Accounts Used Exclusively for Personal Communication 

In prohibiting employers from requiring disclosure of online usernames and passwords, the IEPA draws a distinction between personal Internet accounts and those used for business related communications.  The law only restricts employer access to personal online accounts that are used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.  It does not, however, restrict access to accounts created, maintained, used or accessed by an employee or applicant for business related communications or for a business purpose of the employer.  

In practice, the line between personal and business related accounts may be blurred as many employees use their personal online presence to network and communicate for business reasons.  Consider the sales person who uses his or her LinkedIn account to communicate with potential buyers within a particular industry, or the CPA who posts tax reminders on his or her Facebook page.  Are those accounts accessible under the IEPA since they are not used “exclusively” for personal communications?  A plain reading of the law suggests that may be the case, thereby watering down the potential protections offered by the IEPA to applicants and employees.   

Steps for Complying with the IEPA 

Utah employers should review their HR forms, policies and practices to ensure that they do not ask applicants and/or employees to provide a username or password to their personal Internet accounts.   Train supervisors and managers not to ask for this information as well.  In fact, take the opportunity to remind supervisors and managers not to “friend” subordinates on personal online platforms, such as Facebook.  In addition, reinforce that employees and applicants may not be penalized or treated adversely for failing to provide a username or password for personal online accounts.   

Remember, too, that even though the IEPA does not prohibit accessing an employee’s or applicant’s public social media accounts, viewing such information creates other risks.  Employers may view information regarding the individual’s religion, race, national origin, disability, age, or other protected group status that could give rise to a discrimination claim.  Furthermore, online information is unreliable and ever-changing, meaning that employers should not rely on what they see online when making employment decisions.  To stay out of trouble, consult with legal counsel before viewing or using social media in the employment context.

For more information about permissible actions and potential damages under the Utah Internet Employment Privacy Act, please see our Client Alert.

February 26, 2013

Who Owns Your Employees’ LinkedIn Profiles? The Answer Might Surprise You.

By Mark B. Wiletsky

If your employees use LinkedIn to establish and maintain contacts for business purposes (such as sales), what happens to those accounts—and contacts—when the employee quits or is fired?  Can an employer who has access to an employee’s LinkedIn profile change her password and replace information in her profile following her termination?  No, says at least one federal judge in Pennsylvania recently, though that case is not yet over.  As explained below, employers should be careful before assuming that they own their employees’ LinkedIn profiles. 

Employer Access to High Level Executive Profiles

Edcomm, Inc., a banking education company, strongly urged its employees to create LinkedIn accounts using their company email addresses as a business networking tool.  It had employee policies governing online postings and specified that if employees identified themselves as an Edcomm employee, they needed to use a specific template that contained pre-approved content about the company and referred to the company’s website.  The company provided a photographer to take professional photos for employee use on their LinkedIn accounts.  It also allowed some Edcomm employees to access, develop and administer the LinkedIn accounts of senior management, such as responding to invitations, inviting new contacts and researching good news stories to include on their LinkedIn pages.

After being acquired by another company, Edcomm, Inc. terminated its company president and founder, Linda Eagle, as well as several other top executives. After her termination, Edcomm locked Eagle out of her LinkedIn profile by changing her password.  It then changed the information on the profile to that of the new acting CEO.

Company Argues LinkedIn Account was Akin to a Client List

Eagle sued Edcomm alleging numerous violations of state and federal law, including invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft and conversion.  Edcomm argued that the LinkedIn accounts were used to contact new clients and promote the company’s services.  As such, the company claimed that its take over of Eagle’s account was similar to the company keeping possession of a client list after an employee is terminated. 

The Judge didn’t buy it.  At a recent hearing, Judge Ronald Buckwalter stated that Edcomm likely had no right to change Eagle’s LinkedIn password and change her profile information.  He noted that the company had no internal policy that would hand over ownership of employee profiles when employees left the company and that the LinkedIn accounts belonged to the individual employees. 

Be Prepared For An Employee’s Departure

Although it is wise to implement a social media policy to address employee use of company information on personal or company-sponsored social media accounts, you need to be wary of who owns the rights to such information.  First, as indicated in the Edcomm case above, you risk potential invasion of privacy and other claims.  Second, the employee might have rights to the account independent of the employer, as established in an agreement between the service provider and the employee.  At a minimum, consider implementing specific policies that address these issues up front, and consider what services your employees are using to establish and maintain connections with clients.  The fact that contacts are connected through LinkedIn, Facebook, or some other social media site can significantly impact an argument that such contacts are protectable trade secrets.  Lastly, don’t forget that forcing access to employees’ social media can be risky.  Four states have enacted legislation to prohibit or restrict employers from asking for social media access and many other states are currently debating similar restrictions.

April 10, 2012

Maryland Protects Employees’ Social Media

By Mark Wiletsky

According to various blogs, including a post by the ACLU, Maryland has become the first state to ban employers from requiring employees or applicants to provide access to their otherwise protected social media accounts.  I have not yet seen the text of the bill that Maryland passed, but the new law is not entirely surprising in light of the furor that recently erupted–which gained national media attention–based on reports of a few employers demanding access to applicants' or employees' Facebook and other social media accounts. Whether Maryland's law protecting employees' social media accounts is the first of many state laws, or even a new federal law, remains to be seen.  Regardless, this is yet another indication to employers to be cautious about social media.  Employees' use of and access to social media–both inside and away from the workplace–raises novel issues that courts and legislatures will have to address.  Until more definitive guidance is provided, be aware that your practices may need to modified and reviewed regularly to address this evolving area of the law. 

March 27, 2012

Furor Over Facebook Continues

By Mark Wiletsky    

Following up on my post last week, the flap over employers asking applicants to turn over their passwords to social media accounts, such as Facebook, rages on.  Two senators–Sens. Richard Blumenthal (D-Conn.) and Charles Schumer (D-N.Y.)–on March 25 asked the Department of Justice and the EEOC to investigate this practice (http://blumenthal.senate.gov/newsroom/press/release/blumenthal-schumer-employer-demands-for-facebook-and-email-passwords-as-precondition-for-job-interviews-may-be-a-violation-of-federal-law-senators-ask-feds-to-investigate).  Facebook joined the fray by warning employers about this practice, and of course the ACLU has raised concerns as well (http://www.cnn.com/2012/03/23/tech/social-media/facebook-employers/index.html?hpt=hp_t3).  Is this issue being overblown?  Other than media reports about a couple of public entities, it is unclear how many employers are demanding applicants turn over passwords to social media accounts as a condition of employment (or consideration for employment).  Still, the heightened media attention is a good reminder for employers to review their hiring practices and their social media policies.  If you have not yet read the NLRB's January 25, 2012 Operations Management Memo (http://www.nlrb.gov/news/acting-general-counsel-issues-second-social-media-report), I recommend doing so.  Even though I disagree with certain aspects of the Memo, it provides some good examples of things to avoid in both social media policies and discipline/termination situations involving social media–for Union and non-Union work environments.   

March 23, 2012

Hiring and Social Media: Beware

By Mark Wiletsky

Should you require prospective employees to provide you with access to their Facebook page and other social media accounts, as a condition of being considered for the job?  Some public agencies apparently are doing so.  But Richard Blumenthal, a Democratic senator from Connecticut, is writing a bill to prohibit the practice.  (Not surprisingly, you can find more information about his proposed bill by visiting his Facebook page: http://www.facebook.com/dickblumenthal).  Relying on social media for hiring decisions can be risky, but it happens.  People Google a candidate’s name, check LinkedIn profiles, browse a Facebook page, or surf the web to see if they can learn some information about the candidate.  It’s so easy to do, and there is so much information about people on the web that it is hard to resist.  The problem is that the information on the Internet may or may not be relevant to the job.  The information also might disclose protected characteristics that you would not otherwise know from simply reviewing a job application (e.g., a person’s race, a disability, etc.).  My own thought is that for most private employers, it is not a good idea to require candidates to turn over passwords to their social media accounts.  Regardless of whether the candidate agrees to do so, it is clearly not a voluntary decision, and it raises a host of potential problems for private employers, beyond even the typical problem of not hiring someone due to a protected characteristic, e.g., what happens if someone at the company loses the password, abuses it, or protects it but is later accused of being responsible for hacking into the account?  The law in this area continues to evolve, but I would avoid becoming a “test case” for having gone too far.