Category Archives: Employee Privacy

November 3, 2021

Making Room for Vaccinated, Unvaccinated Employees Under Same Roof

by Steven Gutierrez

Steve Gutierrez

Question: We aren’t sure we want to permit someone who isn’t vaccinated to work closely with us and are particularly concerned because the unvaccinated employee is sitting next to an enclosed area with a fully vaccinated individual who has an immunocompromised infant. How do we protect the vaccinated employee and her infant when we cannot say who is/is not vaccinated because of the Health Insurance Portability and Accountability Act (HIPAA)?

Answer: These are good questions to ask and should be part of the interactive process with the unvaccinated employee to see if there’s a reasonable accommodation that doesn’t pose an undue hardship. Additionally, under the present circumstances, the unvaccinated employee may be considered a “direct threat” that cannot be eliminated or reduced by reasonable accommodation. Read more >>

July 17, 2018

New Colorado Data Privacy Requirements Apply to Employers

Dustin Berger

By Dustin D. Berger

Organizations that employ workers in Colorado will soon face more stringent data privacy requirements, thanks to new legislation signed into law by Governor Hickenlooper at the end of May. This new law, HB 18-1128, imposes new obligations on all covered entities in the state that maintain documents that contain personal identifying information of Colorado residents. These obligations go into effect on September 1, 2018. Here are the highlights of the new requirements and steps employers should take to comply.

Practically All Employers Will Be Affected by the New Law

The new law applies to a “covered entity,” which is essentially defined as any individual or entity “that maintains, owns, or licenses personal identifying information”—regardless of how much business the covered entity does within Colorado. The statute defines “personal identifying information” as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.”

Because virtually all employers maintain information on their employees that is considered personal identifying information, such as social security numbers, employer identification numbers, passport numbers, or driver’s license numbers, employers with Colorado employees will be subject to the requirements of the new law.

The key provisions in the new law are its requirements that covered entities: (1) maintain reasonable security procedures and practices; (2) establish and follow a written policy for the destruction of personal information when it is no longer needed; (3) ensure that third-party service providers handling their personal information have implemented and maintained reasonable security procedures and practices; and (4) follow the law’s notification procedures when it becomes aware that a security breach “may have” occurred.

1.         Reasonable Security Procedures and Practices

HB 18-1128 creates a new statutory section, C.R.S. § 6-1-713.5, that requires covered entities to implement and maintain reasonable security procedures and practices to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction. While not specifying exactly what type of security procedures are required, the new provision states that such procedures must be appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.

If a covered entity discloses personal identifying information to a third-party service provider, it must require that the service provider implement and maintain reasonable security procedures and practices, as outlined in number 3 below. 

2.         Disposal of Documents Containing Personal Identifying Information

Colorado has had a statute governing the disposal of documents containing personal identifying information since 2004, but the new legislation amends C.R.S. § 6-1-713 to expand covered entities’ responsibilities with respect to personal identifying information. Now, the disposal requirements apply to documents that are kept electronically as well as those kept in paper form. The new law also requires that covered entities implement a written policy specifying that the entity shall destroy (or arrange for destruction of) the documents by making the information unreadable or completely indecipherable.

3.         Ensure Third-Party Service Providers Have Reasonable Security Procedures

If a covered entity discloses personal identifying information to a third-party service provider, the covered entity must now require the service provider implement and maintain reasonable security procedures and practices that are reasonably designed to help protect the information from unauthorized access, use, modification, disclosure, or destruction, as appropriate to the nature of the information disclosed to the service provider. A third-party service provider is defined as an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.

4.          Security Breach Notification Requirements Enhanced

The new law significantly amends Colorado’s statute governing notifications of a security breach, C.R.S. § 6-1-716. A “security breach” is defined, in relevant part, as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.

Under the new provisions, a covered entity has no more than 30 days to provide notice of a security breach. Notice must be made to affected Colorado residents in a very specific manner including notice by mail, telephone, electronically, or by substitute notice, and must contain a myriad of information regarding the breach and options that are available to the affected person. If a breach is reasonably believed to have affected 500 Colorado residents or more, the entity also must provide notice of the breach to the Colorado Attorney General.

And, unlike the previous law, the 30-day period begins to run when the covered entity becomes aware that a “security breach may have occurred.” In the prior version of the law, the 30-day period did not begin to run until the covered entity became aware of a breach. This change is likely to increase the pressure on covered entities to timely respond to indicators and predictors of a security breach. 

Sanctions 

Employers who violate the law can face enforcement proceedings from the Colorado Attorney General or the district attorneys of the state. These proceedings can result in civil penalties of up to $2,000 per affected person, up to a maximum of $500,000 per incident. They also can be liable directly to affected persons who are harmed by the violation.

Steps for Employers to Take

The new data security requirements go into effect on September 1, 2018, so employers who maintain personal identifying information on Colorado residents have little time to prepare to comply. Steps to take include:

  • Develop and implement reasonable practices designed to protect personal identifying information from unauthorized access, use, or disclosure (e.g., password-protection, encryption, etc.) that are commensurate with the sensitivity of the personal identifying information.
  • Create a written policy regarding the destruction and disposal of paper and electronic documents containing personal identifying information.
  • Review agreements with third-party service providers to ensure that service providers have reasonable procedures to protect the security of personal identifying information provided to them.
  • If you have a security incident response plan, update it to reflect the changes in the law.
  • If you do not have a security incident response plan, prepare one to ensure that you can meet the new law’s notification requirements.

March 25, 2014

2014 Wyoming Legislature Keeps Status Quo, But Changes On The Horizon?

By Brad Cave

The 2014 session of the Wyoming Legislature did not pass any significant employment legislation, but the Legislature’s actions on some of the measures it did consider could portend a much more interesting 2015 legislative session. 

Independent Contractors.  The issue of independent contractors garnered the most legislative attention of any employment issue in the 2014 session.  In February, we reported on House Bill 16 which would have created misdemeanor criminal penalties for “knowingly failing to properly classify an individual as an employee” leading to a reduction in unemployment contributions or workers compensation premiums or benefits. (A companion measure, Senate File 112, was introduced in the Senate but failed to get sufficient votes for introduction.)  This measure was sponsored by the Joint Corporations, Elections and Political Subdivisions Interim Committee.   Although it failed to garner the two-thirds vote required for introduction during a budget session, a majority of the representatives in the House voted in favor introduction in the 32-26 vote.  This bill may rear its ugly head again in the 2015 general session, where introduction requires only a majority vote. 

On the bright side of the independent contractor issue, Senate File 96 proposed an amendment that would have relaxed the definition of independent contractor in the unemployment and workers compensation statutes.  Those two identical definitions currently require that a person classified as an independent contractor meet three requirements: 

  • The person is free from control or direction over the details of the performance of services by contract and by fact;
  • The person represents his services to the public as a self-employed individual or an independent contractor; and,
  • The person may substitute another individual to perform his services. 

These three factors have always been part of the commonly accepted definition of an independent contractor, as recognized by courts, other statutes and the Internal Revenue Service.  But courts and the IRS weigh these and several other factors, without any single factor or group of factors controlling the determination.  This approach permits employers to fashion independent contractor relationships under a variety of circumstances.  Because of the “and” between the second and third factor, the Wyoming definition requires employers to meet all three of these factors, regardless of the other circumstances surrounding the independent contractor relationship.  Add to that the fact that the second factor is wholly outside of the employer’s control, and you have a very strict and onerous definition. 

Senate File 96 would have added a second test to the unemployment and workers compensation definitions to give employers two ways to prove independent contractor status.  Under the second option, a person providing services would be properly classified as an independent contractor if the person: 

  • is free from control or direction, asserted directly by the person or entity contracting for the services, over the details of the performance of services by contract and by fact; and,
  • has substantial investment used in connection with the performance of the services.  The investment may include physical assets, financial assets, education, experience, intellectual property or any combination of these factors. 

This proposed change would obviously open the door to a broader range of independent contractor relationships, and recognize the importance and prevalence of the sole proprietor independent contractor, particularly in technology services.  

Senate File 96 passed the Senate with strong support, but the House defeated the measure by a vote of 54 to 6.   Reasons for its demise may include timing – it was brought to the floor of the House on the last day for the entire House to consider new measures.  Also, there may have been some confusion about whether the changes would be consistent with the IRS definitions of independent contractors and other statutory definitions.  Because the House had little or no time to resolve these questions, the measure died.  We encourage the Legislature to address this topic again next session. 

Employer Access to Social Media Accounts.   The surprise proposal of the session was Senate File 81, which would have put Wyoming on the bandwagon of other states which are restricting employer access to employees’ social media accounts.  This proposal would have amended the Wyoming Fair Employment Practices Act to make it an unfair employment practice for employers to “request or require” any employee or applicant to disclose any username, password or other method of accessing personal social medial accounts.  Social media accounts was broadly defined under the proposal, to include videos, images, blogs, podcasts, instant and text messages, email, internet websites or locations and other online services or accounts.  

The measure included exceptions to the general restrictions for (1) access to employer social media accounts used for the employer’s business purposes; (2) when personal social media is reasonably believed to be relevant to an investigation of allegation of employee misconduct or violation of laws or regulations, if access is limited to the investigation or a related proceeding; (3) when conducting an investigation of an employee’s social media when required to comply with the requirements of state or federal law, or the rules of a self-regulating organization; or, (4) when an applicant applies for law enforcement employment. 

Senate File 81 flew through the Senate with strong support, and started strong in the House, but was then defeated by a House vote of 36-16. 

Our experience suggests that this is a solution in search of a problem.  The huge majority of employers already avoid efforts to access employees’ social media because learning such information can cause all sorts of headaches for employers.  In fact, employers usually learn about employees’ social media content when employees report to the employer some other employee’s bad behavior as described on social media, and usually expect the employer to do something about it.  Although the exception for investigation-related access is helpful, even that language forces employers to couch their requests in terms that will simply raise the stakes of workplace situations. 

Wyoming employers should pay attention next session to see if the Legislature takes up this topic. 

Misconduct Disqualifications from Unemployment Benefits.  Senate File 76 added a new definition of misconduct to the unemployment compensation statute to outline the circumstances under which a former employee may be disqualified from unemployment benefits.  It was signed by Governor Mead on March 10, 2014, and will become effective on July 1, 2014. 

The unemployment compensation statute already states that an employee will be disqualified from benefits if the Department of Workforce Services finds that the employee was discharged for “misconduct connected with his work”  but does not define that phrase.  To fill the gap, several years ago the Wyoming Supreme Court adopted a definition that required a showing of an act of the employee that indicated a disregard of the employer’s interests or the commonly accepted duties, obligations and responsibilities of an employee, to include carelessness or negligence of such a degree or recurrence as to reveal willful intent or intentional disregard of the employer’s interests or the employee’s duties and obligations.  Violation of company policies or rules could qualify as misconduct under the court’s definition, provided the employee acted intentionally.  The court’s definition also provided that inefficiency, failure of good performance due to incapacity or inability, ordinary negligence or good faith errors in judgment were not adequate to disqualify an employee. 

The new definition of “misconduct connected with work” seems to adopt much of the Wyoming Supreme Court’s interpretation of the phrase.  The phrase is now defined as “an act of an employee which indicates an intentional disregard of the employer’s interests or the commonly accepted duties, obligations and responsibilities of an employee.”  The amendment also excludes from the definition of misconduct, (1) ordinary negligence in isolated instances; (2) good faith errors in judgment and discretion, and (3) inefficiency or failure in good performance as the result of inability or incapacity. 

Because the new statutory definition is very similar to the definition the Supreme Court has used for years, we will need to see how the definition is applied by the Department and the courts to determine whether the misconduct standard has changed at all through this amendment. 

Computer Trespass.  Although not an employment measure, House Bill 178 created a new criminal offense that may give employers a new tool to help prevent employee sabotage.  This measure, which passed both houses and was signed by Governor Mead, created the crime of computer trespass.  A computer trespass occurs when a person knowingly and without authorization, with the intent to damage or cause the malfunction of a computer, system or network, sends malware, data or a program which alters, damages or causes the malfunction of the computer, system or network, or causes it to disseminate sensitive information. 

The measure also created a civil remedy for computer trespass, and permits a person who suffers damage due to a trespass to sue the computer trespasser for damage to computers, systems, or networks, and the costs incurred because of the loss of use of those assets.  The person brining the action can recover the damages caused by the trespass, as well as the costs incurred to identify the trespasser and to serve a complaint on the trespasser. 

House Bill 178 was passed by both houses, and signed by Governor Mead on March 10, 2014.  The new law will become effective on July 1, 2014. 

This new law may be useful to employers if former or disgruntled employees attempt to misuse an employer’s computer systems.  Employers should adopt and periodically review technology policies that carefully define when and how employees are authorized to use the employers’ computer, systems and networks.  If an employee causes computer damage under questionable circumstances, such policies may help employers draw clear lines about when an employee’s access is unauthorized and pursue civil remedies under the statute. 

And the Rest of the Pack.  A few other employment measures never saw the light of day during the 2014 session.  House Bill 45, which would have raised the minimum wage, and House Bill 57, which would have restricted employers’ ability to restrict the post-termination value of accrued vacation, both failed to get enough votes for introduction.  

Bottom Line.  The 2015 legislative session should be interesting, with the possible return of independent contractor and social media legislation.  These are significant issues for Wyoming employers.  We will keep you posted.

Click here to print/email/pdf this article.

July 22, 2013

Myriad of Social Media Privacy Laws Create Havoc for Multi-State Employers

By Elizabeth Dunning 

ComputerDoes your company request that your employees and applicants provide user names and passwords to their personal social media accounts?  Do you require applicants to log onto their online accounts in your presence so that you can view their content?  Perhaps you ask employees to “friend” their supervisors.  If you haven’t followed new developments in state employment laws, you may not realize that such activities are unlawful in some states.  In just two years, eleven states have passed social media privacy laws that prevent employers from accessing employees’ and applicants’ personal online accounts.  Each state law differs in certain respects, making it difficult for multi-state employers to adopt a uniform and consistent social media policy.  To help sort things out, we highlight here the primary differences in the state social media privacy laws. 

States with Workplace Social Media or Internet Privacy Laws 

The eleven states that have enacted social media or internet privacy laws affecting employers to-date are:  Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington.  All but one of these states protect the access information for both current and prospective employees, with New Mexico only protecting the log-in information of applicants. 

Differences in State Social Media Laws 

Generally, all of these states prohibit an employer from requesting or requiring an employee or applicant to disclose his or her user name, password or other means of accessing his or her personal social media accounts. Many of these states also make it unlawful to discipline, discharge, discriminate against or penalize an employee, or fail to hire an applicant who refuses to disclose his or her access information to personal social media accounts.  However, that’s where the uniformity in the laws generally ends.  The following chart highlights numerous key differences between the state laws. 

Legal Provision

States Recognizing Provision

Prohibits employers from requesting that employee add employer representative or another employee to his or her list of contacts (e.g., “friend”)

Arkansas, Colorado, Oregon and Washington

Prohibits employers from requesting employee to access his or her personal social media account in the presence of the employer (“shoulder surfing”)

California, Michigan, Oregon and Washington

Prohibits employers from requesting employee to change the privacy settings on his or her personal social media accounts

Arkansas, Colorado and Washington

Specifically permits employers to view and access social media accounts that are publicly available

Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah

Exception when access required to comply with laws or regulations of self-regulatory organizations

Arkansas, Nevada, Oregon and Washington

Exception for investigations of employee violation of law or employee misconduct

Arkansas, California, Michigan, Oregon, Utah and Washington (Colorado and Maryland limit this exception to investigation of securities or financial law compliance)

Exception for investigation of unauthorized downloading of employer’s proprietary, confidential or financial data

Colorado, Maryland, Michigan, Utah and Washington

Inadvertent acquisition of personal log-in information while monitoring employer systems not a violation but employer not permitted to use the log-in information to access personal social media accounts

Arkansas, Oregon and Washington

As you can see, the differences in the laws exceed the similarities, making it difficult for an employer operating in more than one covered state to comply with all applicable provisions.  Even the definition of covered social media accounts varies by state, creating even more inconsistencies. 

Would a Federal Law Help? 

With eleven laws in place and almost 20 additional states considering social media privacy bills, the issue seems ripe for a federal bill that would bring some uniformity to the protections offered to employees and applicants.  In February 2013, the Social Networking Online Protection Act, which offers such workplace protections, was introduced into the U.S. House of Representatives.  Unfortunately, it has languished in committee and is not expected to pass.  In addition, a federal law on the issue will likely only simplify the web of state laws if it specifically preempts state law.  Without federal preemption, we might face two sources of law on the issue, federal and state, which might muddy the waters even more.  In any event, it does not appear that a federal law will be enacted before additional states enact their own laws, leaving employers to struggle with the variances in state law. 

Best Practices for Complying with Social Media Privacy Laws 

With the vast amount of information available on social media and the increased use of social networking platforms for business purposes, it is likely that most employers will at some point need to access or review content on an employee’s or applicant’s social media account.  Perhaps it will be for an investigation of an employee who downloaded proprietary information or perhaps it will be to confirm derogatory statements about the company made by an employee.  Whatever the reason, the first step is to recognize that these laws exist and you will need to review which, if any, apply to your company and/or the employee involved.  Remember that you are generally free to access publicly available social media content.  However, if one of these state laws applies, consult with legal counsel before accessing (or requesting access to) any personal social media accounts to determine what restrictions and exceptions are applicable to your particular circumstances. 

Establish a social media policy specifying that employees are not permitted to disclose or post proprietary or confidential company information on their personal social media accounts.  Make a clear delineation between company/business-related social media accounts where you control who speaks on behalf of your organization, and personal accounts where employees do not represent the views of the company. Be careful that your social media policy does not run afoul of the National Labor Relations Act by interfering with employees’ right to discuss their wages and working conditions in a concerted manner.  Communicate your policy to your employees through normal channels, such as your employee handbook, online policy/intranet, etc. 

Train your supervisors, managers and human resources staff on these laws.  Sometimes supervisors or HR folks think it is acceptable to ask an employee to “friend” them online, or to ask for their log-in information to view pictures or other benign posts.  Despite good intentions, company representatives could get you into legal trouble so advise them of these laws and your restrictions on requesting access to personal social media accounts.


Disclaimer: This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice and are not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


Print Friendly and PDF

June 17, 2013

New Nevada Law Restricts Use of Credit Checks for Employment Purposes

By Anthony Hall and Dora Lane 

Nevada recently joined the ever-growing list of states that restrict the use of credit reports by employers.  Effective October 1, 2013, Senate Bill 127 will, with limited exceptions, prohibit Nevada employers from making an adverse employment decision based on credit information and from requesting or requiring any prospective or current employee to submit a consumer credit report as a condition of employment.   

Use of Credit Reports as an Unfair Employment Practice 

By amending the Employment Practices chapter of the Nevada Revised Statutes, Senate Bill 127 makes it unlawful for any Nevada employer to: 

1)  Directly or indirectly require, request, suggest or cause any employee or prospective employee to submit a consumer credit report or other credit information as a condition of employment; 

2)  Use, accept, refer to or inquire about a consumer credit report or other credit information; 

3)  Discipline, discharge, discriminate against or deny employment or promotion, or threaten to take such action, against any prospective or current employee on the basis of the results of a credit report or for refusing or failing to provide a credit report; or 

4)  Discipline, discharge, discriminate against or deny employment or promotion or threaten to take such action against any prospective or current employee for filing a complaint or instituting (or causing to be instituted) a legal proceeding under this law, testifying in any legal proceeding (actually or potentially) to enforce the provisions of this law, or exercising (individually or on behalf of another) rights afforded under this statute. 

Exceptions Allowing the Use of Credit Information 

Under this new law, employers are permitted to request or consider consumer credit reports or other credit information for the purpose of evaluating an employee or prospective employee for employment, promotion, reassignment or retention under the following circumstances: 

  • When required or authorized by state or federal law;
  • Upon reasonable belief that the individual has engaged in specific activity which may constitute a violation of state or federal law; or
  • When information in the credit report is reasonably related to the position for which the employee or prospective employee is being considered (including retention as an employee). 

For most employers seeking to use credit reports to evaluate employees and applicants, it is this last exception that typically comes into play.  Importantly, the new law defines what shall be deemed “reasonably related” to include positions where the duties involve one or more of the following non-exclusive categories:

Care, custody and handling of, or responsibility for, money, financial accounts, corporate credit or debit cards or other assets;

  • Access to trade secrets or other proprietary or confidential information;
  • Managerial or supervisory responsibility;
  • The direct exercise of law enforcement authority as a state or local law enforcement agency employee;
  • The care, custody and handling of, or responsibility for, the personal information of another person;
  • Access to the personal financial information of another person;
  • Employment with a financial institution chartered under state or federal law (including subsidiaries or affiliates of such financial institutions); or
  • Employment with a licensed gaming establishment.

Public and Private Enforcement of Credit Report Law 

This new law provides for two types of enforcement mechanisms with a three year statute of limitations.  First, an individual harmed by a violation of this statute may file a private lawsuit against the allegedly offending employer.  The lawsuit may be filed on behalf of the individual employee or prospective employee, or on behalf of other similarly situated employees or prospective employees.  Courts may grant successful plaintiffs various remedies including employment, reinstatement or promotion to the position applied for, lost wages and benefits, attorney’s fees and costs and any other equitable relief deemed appropriate (without the issuance of a bond). 

Second, the Nevada Labor Commissioner may impose an administrative penalty against an employer of up to $9,000 for each violation of the law or may bring a civil lawsuit against the employer to obtain equitable relief as may be appropriate, such as employment, reinstatement or promotion of the employee and the payment of lost wages and benefits.   

Complying with Credit Restriction Laws in Ten States 

In enacting this new law, Nevada became the tenth state to restrict the use of credit reports for employment purposes, joining California, Colorado, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington.  Additional states are considering similar legislation.  Further, the Equal Employment Opportunity Commission (EEOC) has targeted employers for the use of credit reports as potentially causing disparate impact on certain protected groups.  Complying with these laws can be challenging, especially for multi-state employers. 

Prior to the October 1, 2013 effective date of Nevada’s new law, employers who use credit reports or credit information in their hiring or evaluation process need to review their screening policies.  Specifically, employers hiring individuals in Nevada need to evaluate each position for which they want to use credit reports and determine if the position falls under one of the enumerated exceptions in Senate Bill 127 that allows the use of credit information on applicants and/or current employees.  If the duties of the position do not fall within the list of exceptions, employers should evaluate whether the credit report “is reasonably related to the position.”  If the answer to both of these questions is “no,” then the employer should not request or use credit reports or other information from a consumer reporting agency when evaluating candidates for that position.  Employers with operations or hiring needs in multiple states need to stay abreast of the latest legal requirements to ensure that their credit screening policies comply with each applicable state restriction. This may mean implementing a different credit screening policy in those states where the use of credit reports is restricted by law.


Disclaimer: This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice and are not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


Print Friendly and PDF

May 6, 2013

Colorado Restricts Employers’ Use of Credit Reports

By Mark Wiletsky 

Employers using credit reports to evaluate applicants and employees take note: Colorado recently enacted the “Employment Opportunity Act” limiting the use of credit reports in employment decisions.  In passing this law, Colorado joins eight other states–California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington–in restricting employers from obtaining and/or using credit history information when evaluating applicants and employees.   The new Colorado law exempts certain job positions from the prohibition on the use of credit reports, but the exceptions are very fact specific.  Employers need to analyze the job responsibilities of the position at issue in order to determine if they may use credit information under this new law. 

Prohibition on the Use of Consumer Credit Information for Employment Purposes 

Effective July 1, 2013, section 8-2-126 of the Colorado Revised Statutes provides that an employer shall not use consumer credit information for employment purposes unless the credit information is substantially related to the employee’s current or potential job.  This means that Colorado employers are prohibited from using credit information in the employment context except in those limited situations where credit or financial responsibility is substantially related to the job.  The type of information prohibited under this law includes any written, oral or other communication of information that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.  This includes a credit score, but does not include the name, address or date of birth of an employee associated with a social security number. 

“Substantially Related” Analysis Looks to Job Responsibilities 

When determining whether a particular position falls within the exception where credit information is “substantially related to the employee’s current or potential job,” employers may not rely on an informal, best-guess determination.  Instead, employers must carefully analyze whether the job in question meets the parameters detailed in the new law.  

Under Colorado’s law, “substantially related to the employee’s current or potential job” is defined to apply to positions that: 

1)         Constitute executive or management personnel or officers or employees who constitute professional staff to executive and management personnel, and the position involves one or more of the following: 

                A)    Setting the direction or control of a business, division, unit or an agency of a business;

                B)    A fiduciary responsibility to the employer;

                C)    Access to customers’, employees’, or the employer’s personal or financial information (other than information ordinarily provided in a retail transaction); or

                D)    The authority to issue payments, collect debts or enter into contracts; OR 

2)         Involves contracts with defense, intelligence, national security or space agencies of the federal government.

Consider this example:  you are hiring a human resource specialist who will administer employee benefits within your company.  May you obtain and use a credit report on applicants for this position?  Assuming this position does not involve federal defense, intelligence, national security or space agency contracts, you first must determine if this position is an executive or management position, or alternatively, if this position is considered professional staff to an executive or manager.  In our example, the employee benefits specialist position may or may not be an executive or management position at your company.  If not, the position may be considered professional staff to an executive or manager if the position reports to an HR Director, Vice President or other similar high level manager or officer.  If we assume this position meets this threshold determination, you next must analyze if the position involves one or more of the four areas of responsibilities where credit information will be deemed substantially related.  Because an employee benefits specialist is likely to have access to employees’ personal and perhaps financial information, it appears to fall within the third area of responsibility where credit information will be deemed substantially related to the job, but the answer is certainly not clear-cut.

Requesting Employee Consent to Obtain a Credit Report  

In addition to the prohibition on the use of credit information for employment purposes, the new Colorado law prohibits employers or their agents from requiring an employee to consent to a request for a credit report that contains information about the employee’s credit score, credit account balances, payment history, savings or checking account balances, or savings or checking account numbers as a condition of employment unless: 

            1) The employer is a bank or financial institution;

            2) The report is required by law; or

3) The report is substantially related to the employee’s current or potential job andthe employer has a bona fide purpose for requesting or using information in the credit report and is disclosed in writing to the employee.   

The written disclosure requirement here is a new procedural step with which most employers meeting this exception will not be familiar.  Employers meeting these criteria now need to provide applicants/employees with a notice of their business purpose for requesting credit information.

Employee May Be Allowed to Explain Circumstances Affecting Credit 

In those cases when an employer is permitted to use credit information because it is substantially related to the job, an employer may ask the employee to explain any unusual or mitigating circumstances that affected their credit history.  For example, if the credit report shows delinquent payments, the employer may inquire further allowing the employee to explain circumstances that may have caused the delinquencies, such as an act of identity theft, medical expense, a layoff, or a death, divorce or separation.   

Adverse Action Disclosure Required 

If the employer relies on any part of the credit information to take adverse action regarding the employee or applicant, the employer must disclose that fact and the particular information relied upon to the employee.  This disclosure must be made to the employee in writing but can be made to an applicant via the same medium in which the application was made (e.g., if the application was submitted electronically, this disclosure may be sent electronically). 

FCRA Obligations Still Apply 

Employers who are permitted to obtain and use credit reports under the Colorado law must also comply with the requirements of the Fair Credit Reporting Act (FCRA) in order to obtain a credit report from a consumer reporting agency.  These additional FCRA duties include: 

1)         Providing a clear and conspicuous written disclosure to the applicant/employee before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained;

2)         Getting written authorization from the applicant/employee before obtaining the report;

3)         Certifying to the consumer reporting agency that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer's rights will be provided to the consumer;

4)         Before taking an adverse action, providing a copy of the report and a summary of FCRA consumer rights to the applicant/employee; and

5)         After an adverse action is taken, sending an adverse action notice to the employee/applicant containing certain FCRA-required statements. 

Credit Check Compliance 

Colorado employers need to review and update their background check policies as they relate to conducting credit checks on applicants and existing employees.  In addition to FCRA obligations, employers wishing to use credit reports have additional restrictions and duties under state law.   

Employers now must analyze whether each position for which they wish to obtain credit reports meets the “substantially related to the employee’s current or potential job” criteria.  If the position meets that criteria and the employer wishes to obtain a credit report on an applicant or existing employee, the employer first must provide a written disclosure to the applicant/employee describing the bona fide purpose of obtaining the credit information.  If the credit report reveals questionable or negative information, the employer may (but is not required to) ask the applicant/employee to explain any unusual circumstances that may have led to the unfavorable credit information.  If the employer rejects the applicant/employee for the position based in any way on the credit report, the employer must provide the required FCRA adverse action notices as well as a written explanation of the particular information in the report that led to the employer’s decision. 

Multi-state employers face unique challenges when obtaining and using credit reports for employment purposes as they must comply with various state laws that now restrict such use.  Given the intricacies of complying with the FCRA and applicable state laws, employers are wise to consult with their counsel to review and update their credit check policies. 

 

April 25, 2013

Tips for Complying with Utah’s Internet Employment Privacy Act

By Elizabeth Dunning

Effective May 14, 2013, Utah employers may not request employees or applicants to disclose information related to their personal Internet accounts.  The Internet Employment Privacy Act(IEPA), recently signed into law by Utah Governor Gary R. Herbert, prohibits employers from asking an employee or applicant to reveal a username or password that allows access to the individual’s personal Internet account.  In addition, employers may not penalize or discriminate against an employee or applicant for failing to disclose a username or password.  A similar restriction applies to higher educational institutions through passage of the Internet Postsecondary Institution Privacy Act. 

With enactment of the IEPA, Utah becomes the fifth state to pass legislation that limits an employer’s access to social media accounts, joining California, Illinois, Maryland and Michigan.  New Mexico passed a similar law shortly after Utah and New Jersey’s law passed the legislature and is awaiting the governor’s signature.  A bill introduced in February in the U.S. House of Representatives called the Social Networking Online Protection Act (H.R. 537) is stuck in committee. 

Public Online Accounts Are Fair Game under the IEPA 

The IEPA does not restrict or prohibit employers from viewing or using online information about employees and applicants that the employer can obtain without the employee’s username or password.  Any online information that is available to the public may be accessed and viewed by employers without violating the IEPA.  Consequently, individuals who set privacy settings on their online accounts to allow “public” access effectively opt themselves out of any protections offered by this new law. 

Utah Restriction Applies to Accounts Used Exclusively for Personal Communication 

In prohibiting employers from requiring disclosure of online usernames and passwords, the IEPA draws a distinction between personal Internet accounts and those used for business related communications.  The law only restricts employer access to personal online accounts that are used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.  It does not, however, restrict access to accounts created, maintained, used or accessed by an employee or applicant for business related communications or for a business purpose of the employer.  

In practice, the line between personal and business related accounts may be blurred as many employees use their personal online presence to network and communicate for business reasons.  Consider the sales person who uses his or her LinkedIn account to communicate with potential buyers within a particular industry, or the CPA who posts tax reminders on his or her Facebook page.  Are those accounts accessible under the IEPA since they are not used “exclusively” for personal communications?  A plain reading of the law suggests that may be the case, thereby watering down the potential protections offered by the IEPA to applicants and employees.   

Steps for Complying with the IEPA 

Utah employers should review their HR forms, policies and practices to ensure that they do not ask applicants and/or employees to provide a username or password to their personal Internet accounts.   Train supervisors and managers not to ask for this information as well.  In fact, take the opportunity to remind supervisors and managers not to “friend” subordinates on personal online platforms, such as Facebook.  In addition, reinforce that employees and applicants may not be penalized or treated adversely for failing to provide a username or password for personal online accounts.   

Remember, too, that even though the IEPA does not prohibit accessing an employee’s or applicant’s public social media accounts, viewing such information creates other risks.  Employers may view information regarding the individual’s religion, race, national origin, disability, age, or other protected group status that could give rise to a discrimination claim.  Furthermore, online information is unreliable and ever-changing, meaning that employers should not rely on what they see online when making employment decisions.  To stay out of trouble, consult with legal counsel before viewing or using social media in the employment context.

For more information about permissible actions and potential damages under the Utah Internet Employment Privacy Act, please see our Client Alert.

February 26, 2013

Who Owns Your Employees’ LinkedIn Profiles? The Answer Might Surprise You.

By Mark B. Wiletsky

If your employees use LinkedIn to establish and maintain contacts for business purposes (such as sales), what happens to those accounts—and contacts—when the employee quits or is fired?  Can an employer who has access to an employee’s LinkedIn profile change her password and replace information in her profile following her termination?  No, says at least one federal judge in Pennsylvania recently, though that case is not yet over.  As explained below, employers should be careful before assuming that they own their employees’ LinkedIn profiles. 

Employer Access to High Level Executive Profiles

Edcomm, Inc., a banking education company, strongly urged its employees to create LinkedIn accounts using their company email addresses as a business networking tool.  It had employee policies governing online postings and specified that if employees identified themselves as an Edcomm employee, they needed to use a specific template that contained pre-approved content about the company and referred to the company’s website.  The company provided a photographer to take professional photos for employee use on their LinkedIn accounts.  It also allowed some Edcomm employees to access, develop and administer the LinkedIn accounts of senior management, such as responding to invitations, inviting new contacts and researching good news stories to include on their LinkedIn pages.

After being acquired by another company, Edcomm, Inc. terminated its company president and founder, Linda Eagle, as well as several other top executives. After her termination, Edcomm locked Eagle out of her LinkedIn profile by changing her password.  It then changed the information on the profile to that of the new acting CEO.

Company Argues LinkedIn Account was Akin to a Client List

Eagle sued Edcomm alleging numerous violations of state and federal law, including invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft and conversion.  Edcomm argued that the LinkedIn accounts were used to contact new clients and promote the company’s services.  As such, the company claimed that its take over of Eagle’s account was similar to the company keeping possession of a client list after an employee is terminated. 

The Judge didn’t buy it.  At a recent hearing, Judge Ronald Buckwalter stated that Edcomm likely had no right to change Eagle’s LinkedIn password and change her profile information.  He noted that the company had no internal policy that would hand over ownership of employee profiles when employees left the company and that the LinkedIn accounts belonged to the individual employees. 

Be Prepared For An Employee’s Departure

Although it is wise to implement a social media policy to address employee use of company information on personal or company-sponsored social media accounts, you need to be wary of who owns the rights to such information.  First, as indicated in the Edcomm case above, you risk potential invasion of privacy and other claims.  Second, the employee might have rights to the account independent of the employer, as established in an agreement between the service provider and the employee.  At a minimum, consider implementing specific policies that address these issues up front, and consider what services your employees are using to establish and maintain connections with clients.  The fact that contacts are connected through LinkedIn, Facebook, or some other social media site can significantly impact an argument that such contacts are protectable trade secrets.  Lastly, don’t forget that forcing access to employees’ social media can be risky.  Four states have enacted legislation to prohibit or restrict employers from asking for social media access and many other states are currently debating similar restrictions.

April 10, 2012

Maryland Protects Employees’ Social Media

By Mark Wiletsky

According to various blogs, including a post by the ACLU, Maryland has become the first state to ban employers from requiring employees or applicants to provide access to their otherwise protected social media accounts.  I have not yet seen the text of the bill that Maryland passed, but the new law is not entirely surprising in light of the furor that recently erupted–which gained national media attention–based on reports of a few employers demanding access to applicants' or employees' Facebook and other social media accounts. Whether Maryland's law protecting employees' social media accounts is the first of many state laws, or even a new federal law, remains to be seen.  Regardless, this is yet another indication to employers to be cautious about social media.  Employees' use of and access to social media–both inside and away from the workplace–raises novel issues that courts and legislatures will have to address.  Until more definitive guidance is provided, be aware that your practices may need to modified and reviewed regularly to address this evolving area of the law.