Posts

Well, it’s amazing isn’t it? The month of January of 2012 is almost done and so much has already happened. Here are some interesting social media and the law news that I found, as well as some other fun pieces to carry you over for the day until tomorrow’s Draw the Law.

Google and Privacy Concerns (this well continue to be an issue for 2012 for all Social Media)

Have you noticed that Goolge is making some major pushes lately?  Well come March 1 the search engine plans on doing a turnabout and begin combining information it collects about the user from various sites/services into a single profile. Definitely a privacy issue brewing, especially when the privacy officer has to issue statements. Click: Google to merge user data across its services – CNN.com You can also read the lengthy notification, which you keep bypassing when you log onto your Google+ page.

GPS = 4th Amendment “Search” as Determined by SCOTUS

For all of you interested in criminal law, like Marcus Landsberg criminal lawyer extraordinaire, notice that the Supreme Court- GPS Tracking Is Illegal Without Warrant. Basically, SCOTUS feels that the use of a GPS Tracking device is a “search” for the purposes of the 4th Amendment, thus cops must get a warrant.

Mutant Toys or Mutant Dolls? Yes, it Matters

This was a great listen if you love comic books and would like to theorize that certain superheroes are not human. Basically, the point of this podcast: Mutant Rights – Radiolab, was showing the importance of the word “doll” versus “toy” – you may not think it means much, but if you are an IP attorney and have an import business getting a cheaper rate for your action figures is a must and it all boils down to if a mutant is a human or not.

Department of Homeland Security Following Facebook Posts

Earlier this month DHS released a document stating it is monitoring social media and news sites. They cited federal law that they have to “provide situational awareness” to federal, state, local and tribal governments. You can read more about this here: DHS watching social media, news sites | Greeley Gazette.

NLRB Finds Certain Arbitration Clauses Violate Labor Laws

The National Labor Relations Board (NLRB) has determined that mandatory arbitration agreements that prevent employees from joining together to pursue employment-related legal claims in any forum, whether in arbitration or in court violate federal labor laws. Check that announcement here: Board finds that certain mandatory arbitration agreements violate federal labor law.

Local Startup and Social Media Infromation

For you startup lovers, don’t forget tomorrow night will be Startup Hawaii kickoff. For more information, check it out here: Startup America Comes to Hawaii | Aloha StartUps. It will be at Bar 35 downtown. Definitely come on down if you started or are going to start a business!

Also check back at Alohastartups.com as I will be writing some future posts talking about Hawaii’s new legal non-profit aimed at helping entrepreneurs and startups, Business Law Corp. (businesslawcorps.org). I hope to get some interviews with the founders soon!

Finally, clear sometime in February as I will be getting down with Social Media and the Law as I will be trying to schedule a talk at The Greenhouse Innovation Hub and will be a panelists at Social Media Club Hawaii’s Creating a social media policy for business – what, how and when? event at Amuse Wine Bar on Feb. 21st. Hope to see you there!

If you like today’s post or any of my other series please “Subscribe” to this blawg to receive e-mail updates.  In addition, follow me on Twitter and “Like” me on Facebook.  If you need to contact me directly, please e-mail me at Ryankhew@hawaiiesquire.com.

For the past two Draw the Law posts I have focused on workplace privacy protections, which have included the following topics:

  1. Credit and background Checks and Surveillance and Electronic Monitoring
  2. Searching Personal Property and HIPAA Privacy

Today is the final day for the subject of dealing with sensitive or private information in the workplace.  I will be focusing on Job References, Social Security Numbers, and other kinds of Personal Information. Note that the last two types of information require businesses to protect them for not only employees, but people in general. This includes customers/clients/patients.  This is good because next week I will focus on legal issues with customers, and this is a nice segue into that series of posts.

Job References Immunity (HRS 663-1.95)

Suppose you let an employee go and a couple of weeks later another company calls you up asking about this former employee. If the former employee was decent or good you may consider giving them a reference or providing information to put them in a positive light. However, if they were terrible you may be inclined to be honest, as you do not want another employer to go through the headaches you did.

While, this is not privacy matter per se, it is a sharing of information about someone and in the State of Hawaii we give employers a “qualified immunity” for providing this information. If you provide a job reference about a current or former employee to a prospective employer you just need to act in good faith when you give this information (even if it may be negative.

Many times a former employee cannot get employed, and find out that a old boss is telling things that are brutal to their career. However, the employee has to prove in a court of law that what the former boss knows they saying false things or trying to mislead the asking employer.

While, you may have a defense against a former angry employee you might not want to say whatever you want, no matter how true the matter may be. The best strategy here is to develop a termination process, tell the employee (or wait for them to ask) that you can be used as a reference, and prepare a list of things to tell a prospective employer about them and keep it with the employees file.

Social Security Numbers (HRS 487J)

In the State of Hawaii we protect Social Security Numbers (SSN) .  More specifically, we prevent businesses from doing the following:

  1. printing an individual’s entire SSN on anything mailed to the individual, except in 2 situations: (a)what is being mailed is between employer-to-employee; or (b) the person requests that their entire SSN is sent;
  2. requiring people to give their SSN over the Internet, unless the connection is secure or the SSN is encrypted (thus job application forms on websites have those secure login protocols);
  3. requiring people to use their SSN to access an Internet website, except in the situation where a PIN or password is also required to access the website.

In general, if you do not have the sophisticated job application systems you probably want to avoid using SSNs and trying to gain more information through interviewing. SSN is sensitive information and the State takes it seriously. So much so for every violation the penalty is $2,500.

Personal Information (HRS 487R)

In addition to SSNs, other types of personal information are protected against unauthorized access and businesses that collect this information either for employment purposes or a customer database need to avoid disclosing this information. Basically, we have given people the right to be protected and safe knowing this information is being safeguarded by the entities we give them to.

What is Personal Information?

So “personal information” is a very specific set of information. Most of it you have memorized as you routinely use it to verify who you are whether it is for employment, getting benefit from the government or other instiutions, and for records purposes.

Personal information = person’s name + any of the following:

  1. SSN;
  2. Driver’s License Number;
  3. Financial Account number;
  4. a code that allows access to financial information.

How can a Business Take Reasonable Measures to Protect this Information?

The main goal is so that information cannot be read or reconstructed based on the medium it was recorded so any of the following methods is appropriate depending on the situation:

  1. Burning;
  2. Pulverizing
  3. Recycling;
  4. Shredding papers;
  5. Destroying electronic media;
  6. Erasing electronic media;
  7. Or finally a catch-all, a procedure relating to the adequate destruction of personal records as official policy in the writing of the business entity.

If you are a one-person shop, like I am. Invest in a good shredder.  If you are a larger business consider outsourcing to a professional information destruction service. However, before you sign that agreement with them make sure you review their policies and procedures, and insure that they are thorough because you are still responsible for any leaked information.

Similar, to the SSN situation you may be fined up to $2,500 per violation by the government. If you have a lot of workers and customers in your database and a fraction of that is leaked you could have a very expensive lawsuit.  In addition, to the government coming after you the person who’s information that you released by accident can also sue you.

Final Word: Record Retention and Destruction

In this age where we get an ID or number for everything we do we set-up databases to contain all that information and make it easy to sort through. However, those numbers represent people and the law has decided to protect that information. Therefore, a business needs to have a thorough record retention and destruction policy. In addition, it becomes key that the people who access this information (no matter how routine or mundane it may seem) are responsible. If you need to figure out how to handle sensitive information or need an update/review your procedures in this area contact a HR specialist or attorney to help your compliance steps.

Remember that next week we will move out of human resource problems and move on to legal issues with customers. Also stay tuned a poll determining what the next subject of my talk at The Box Jelly, Hawaii’s first coworking space, will be going up soon.

Have an Aloha Friday!

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.  No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.  Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.

If you like today’s post or any of my other series please “Subscribe” to this blawg to receive e-mail updates.  In addition, follow me on Twitter and “Like” me on Facebook.  If you need to contact me directly, please e-mail me at Ryankhew@hawaiiesquire.com.
Today’s post is following up on the kind of laws you as an employer should be worried about when dealing with employee privacy.  Last week I discussed Credit and Background Checks, as well as Surveillance and Electronic Monitoring.  Specifically, I will discuss Searching Personal Property and HIPAA Privacy.

Searching Personal Property

Remember worker safety?   Well, the employer has to create a safe work environment.  The employer also would like to make sure that company property remains in the possession of the company.  Lastly, the company needs to make workers remain productivity or doing what they are supposed to be doing.  Therefore, there is a need to search by the employer desks, lockers, and personal items brought onto premise by workers.

For today’s discussion I will focus solely on private employers, as public employers have different laws protecting them.  In general, an employer should not invade their employee’s privacy because they could be violating various laws, such as misappropriation, intrusion, false light, and unreasonable publicity.

Written Policy: Reserving the Right to Search

A company should adopt a policy that reserves the right to search desks, lockers, and other private places (this includes the employees’ person).  This needs to be carefully worded, as not to overstep the employer’s boundaries.  Basically, it should give the searches context, and explain to the employee when they will be conducted.   The employee should sign (acknowledging and consenting) to the searches.

Management should then go through a process determining when they should conduct a search.  Here are some questions that you should consider before conducting a search:

  1. Is there a legitimate business reason search?  Is it reasonable?
  2. Is there an objective rationale behind the search (do you have good evidence)?
  3. Will the search provide clear evidence that company policy or the law has been violated?
  4. If the search is conducted, will it provide safety to the public or workers by mitigating a risk?

*Do not go on fishing expeditions, it looks like you are grasping at straws and looks especially bad if the search did not yield any results.  Keep the search narrow and focused on the violation that you think the employee has committed.

During the Actual Search

If it is possible, because a search is an antagonistic situation try and get their consent.  When you conduct the search consider that the employee is highly stressed and you may want have these things in mind:

  1. you will want to make this as non-coercive as possible by allowing them to leave;
  2. do not threaten, physically or verbally abuse them;
  3. keep questions to minimum and focus on the task at hand;
  4. have a witness.

HIPAA Privacy

If you have gone to the doctor’s office before, and are a new patient all those forms you have to sign regarding protection of your health information has to do with HIPAA.  However, what does HIPAA have to do with employers?

Protected Health Information

Employers are increasingly becoming involved with the health of their workers do to regulation and the provision of benefits.  Therefore, at some point you may have a worker’s “protected health information”  (PHI) in your possession, which is covered under HIPAA.  PHI is very broad and in general just remember it is health/condition information created or received by not just those in the health care industry, but can be an employer, life insurer, and a school or university.

Basically, if try to obtain PHI from an employer’s physician or have a self-insured health plan, or are actively involved in plan administration, or happen to be one in the medical industry your business needs to make sure it does not disclose this information.  In addition, there are very specific requirements about how to handle and keep secure HIPAA-related information.

Last Word

In the case of both these privacy law issues it is best to seek out an attorney to help make sure you are compliant and help you draft/review documentation to use.  Worker privacy is always a delicate balance of respecting employee rights, but making sure the company is safe, secure, and can meet its own needs.

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.  No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.  Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.

As you can see from the prior Draw the Law posts, you as the employer, are responsible for your employees’ health, safety, paying them, and for protecting their information.  Today’s Draw the Law (and the next two) will be about protecting employees’ private information.
So a Hawaii employer should think about the following situations when it comes to employee privacy:

  1. Credit and Background Checks
  2. Surveillance and Electronic Monitoring
  3. Searching Personal Property
  4. HIPAA Privacy
  5. Job References
  6. Social Security Numbers
  7. Other Personal Information

As you can see there are a lot of situations you need to be worried about, so I will be breaking this topic into Part I today, which will cover the first two situations.   Part II will handle numbers 3 and 4.  Finally, Part III will handle 5 – 7.

Credit and Background Checks

While you may think that the Fair Credit Reporting Act (“FCRA”) applies only to consumer reporting, it actually also applies to employers who obtain and use information from consumer reporting industries for their job applicants or current employees.  It applies not only to consumer credit reports, but educational background checks, license checks, employment history and the like when the information is obtained from a entity that regularly puts together these types of reports (even includes private investigators).

As the employer, you must:

  1. give notice to the person you intend to get a report on;
  2. obtain their written authorization to that the agree;
  3. if you take an adverse employment action based on the information received you must also give notice in that situation.

The Reports and Reporting Agency

The Federal Trade Commission is responsible for this law and it only focused on certain types of information to be found in the reports.  The following pieces of information are not covered by FCRA:

  1. criminal or court records, when obtained from the state agency that is responsible for providing the public with this information; and
  2. drug testing results, when directly provided by the lab to the employee.

The key to this law has to do with from whom you obtain the reports from.  This law only cares about if you obtain information from an entity that makes its business from providing the protected information.  For example, if you have a job applicant and you directly contact their prior employer for information that does not make their prior employer a consumer reporting agency.  Likewise, if the job applicant lists references, their professors, colleagues, and the like are not furnishing you with consumer report.

You, the employer, have to make very specific disclosures to applicants/employees at these time frames:

  1. before getting the report
  2. before make an adverse decision (includes denial of employment, transfer, raise, promotion, etc . . . )
  3. and after taking an adverse action.

A thing to note here, there are two different types of reports: consumer and investigative consumer.  They both have different and very specific requirements in terms of disclosure.   If you have questions ask an attorney or expert in the matter.

Takeaway

The main thing to take away from this section is you probably want to use these checks sparingly.  While, there are all these legal ramifications, sometimes ordering a report can just be more costly compared to a simple call based on the applicant’s reference list.  If you do decide to get a report be sure to follow specific procedures of disclosure.  Once again, if you are unsure contact an attorney to help you.

Monitoring Your Employees

For those of you have been following my blawg for a while you know that I did a series of posts on Social Media and the Law, well this section is related to that.  In general, when you monitor your employees through accessing e-mail, social networks, etc . . . you have a series of laws to watch out for.  I am only going to focus on two federal laws, but there are a series of other laws to consider as well.

Electronic and Stored Communications

Electronic Communications Privacy Act (ECPA) governs electronic communications in the workplace that transmit data (this includes the telephone).  Specifically, Title I of the act cares about the transmission and interception of the communications.  Title II, which is known as the Stored Communications Act (SCA), protects the privacy and is focused on the access of stored electronic information.  The main concern for employers is that they should watch themselves when they begin monitoring employees through communication devices.

Employers may have the opportunity to take advantage of three exemptions in the ECPA.  They are as follows:

  1. electronic communications may be monitored if a person gives consent (which an employer should obtain written consent);
  2. “business extension” situation which applies to an employer that uses telephone extension to monitor employees in the ordinary course of business; and
  3. the “provider” of the electronic communication service who monitors communications as a “necessary incident” to the providing or service (or to protect its rights or property) may also be exempt.

In general, an intercepted communication may only be used for a stated business purpose.  Once you have reasonably determined that the subject of an intercepted communication is not relevant to the business purpose for which monitoring took place the monitoring must cease and the contents of the communication disregarded.  Generally, software that merely records e-mail addresses/URLs should be legal under the business extension exception to federal prohibitions against recording without consent.

In general, a lot of the information covered in the Social Media and the Law series talks about more specific concerns employers have when monitoring social media.  However, a lot of that is relevant to this matter, as employees use the devices covered by the ECPA and SCA to use their social media accounts.

Last Word

The main thing to takeaway from all this is to use NOTICE AND CONSENT.  The laws only protect a reasonable expectation of privacy held by employees.  The employee no longer as a reasonable expectation if you notify them you intend to monitor telephone calls, they have given you the right of access to their e-mail, text messages, and internet transmissions, etc . . . .  Basically, consent will cut off any claims of violating ECPA or privacy common law.  This is why having a comprehensive policy that deals with electronics, their use, and what rights employees have regarding them is important.  As stated in the Social Media and the Law, you should seek out an attorney or expert to help craft your policies or review them periodically to make sure that your procedures are in compliance.

Next time, I will focus on searching employees’ personal property (think of it like what was discussed today, but now in physical space) and HIPAA regulations with regard to employee information.  If you liked this post or any of my other series please “Subscribe” to this blawg to receive e-mail updates.  In addition, follow me on Twitter and “Like” me on Facebook.  If you need to contact me directly, please e-mail me at Ryankhew@hawaiiesquire.com.

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.  No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.  Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.

For the past several weeks I have discussed the concerns of just putting things on your Facebook, Twitter, and other social media accounts.  I shared with you a few of the scenarios and stories that companies, employees, and people go through when social media goes awry at the workplace.
However, how does this stuff come up, legally speaking?  That’s where we have the Rules of Evidence.  For you readers that are laypeople I will try to keep this as simple as possible, but bear in mind you will be exposed to some legal terms.   For attorneys and law students, we will be sticking to Federal Rules, even though I am in Hawaii.

The Starting Point: Relevancy

Generally speaking, for evidence to be admissible it has to be relevant.  Yes, it is an extremely low threshold and in the realm of fast postings, easy tweets, and tons of drinking pictures that is kind of scary.  Is it relevant that you posted a picture of you jumping up and down partying at the bar?

Yeah, it might be, if you are in a battle over workers’ compensation with your employer and its insurance company over your work-related back injury and that picture was taken after your claim.

Thus, many things in the realm of social media become pieces that lawyers will use to try and craft a story on a matter in a case.  Another words, all those posts, tweets, pics, videos, and whatever else you are throwing up on your account could be fair game as evidence.

What about my Right to Privacy?

While the threshold for admitting evidence is relatively easy, it just needs to be relevant, don’t you lawyers have all these exceptions to the rule?  Can I not claim the stuff I put on my Facebook and Twitter accounts is private stuff?

Yes, we have exceptions.  But, the Right to Privacy in social media is NOT one of them.   This case simply illustrates the principle of why you cannot post or tweet something believing it will be protected.  In Romano v. Steelcase, Inc., 2010 WL 3703242, the New York Supreme Court ordered one party to turnover their MySpace and Facebook content to the opposing party.  For this matter content includes photographs, posts, and even recent deletions.  Why?  The court stated when a person chooses to disclose or share such information their ability to then say that is private is weakened.   If you choose to put it up, then how can you reasonably say you think it will be private?

What about the Terms of Service or Privacy Policy? Won’t that Protect Me?

Facebook, Twitter, and all the other social media sites all have varying Terms of Service and Privacy Policies, but they do remind you that while striving to maintain privacy and giving you the utmost control over your information there is no such thing as perfect privacy in social media.

Risks inherent in sharing information. Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software.

(emphasis added) Take from Section 8 of Facebook’s Privacy Policy page.

If You are Worried About It, Don’t Post It

As many professionals both in social media and legal circles have told me.  Once you post something it does not go away.  Therefore, in situations where you claimed one thing to one person, but your social media posts clearly shows something else you could find yourself in trouble unexpectedly.  For instance you called in sick to work, but you are showing pictures of yourself at the beach.

Bottom line:  If you don’t want something used against you in court, don’t post it.

—-

Next time, I will continue the discussion of social media information usage in trial and litigation work and some of the rules and cases that are shaping the laws interaction with these forms of communication.

Don’t forget if you enjoy this series or any of the other series on my blawg feel free to subscribe in the right-hand corner of this page to receive e-mail updates on posts.  If you are on Facebook be sure to “Like” “Ryan K. Hew” to get updates there as well.

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.   No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.   Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.