Posted on

Employees Off-Work, But Online

This post was written by E. David Krulewicz and Cindy Schmitt Minniti.

Facebook, MySpace and Twitter have become household names, a ubiquitous part of the daily lives of many and often a tool for keeping in touch with friends and family. These websites are increasingly being used by individuals to document their daily lives and activities, voice their concerns and post their opinions for the world to read and to respond. The business community has also turned to these “social media” websites as means for marketing their brands and, in some instances, for obtaining information about current employees and prospective job applicants. A series of recent cases reminds us there are significant risks related to the posting and/or use of information discovered on “social media” websites.

For example, in Pietrylo and Marino v. Hillstone Restaurant Group, a case pending in the Unites States District Court for the District of New Jersey, two individuals sued their former employer after they were terminated for posting complaints about their workplace on an invitation-only discussion forum on MySpace.com. Much to the employees’ surprise, managers from Hillstone Restaurant Group were able to access this discussion board (although the parties dispute whether the managers had a right to do so) and were less than pleased with what they read. The employees were quickly terminated and a lawsuit followed. 

In their complaint, the former employees assert their employer not only violated state and federal Wiretap and Stored Communications Acts by accessing the invitation-only forum, but wrongfully terminated them in violation of New Jersey’s public policy favoring free expression and privacy as embodied in the U.S. and the New Jersey Constitutions. Their employer has denied the claims and asserts the plaintiffs were “at-will” employees who could be terminated for any reason or no reason at all.

Ultimately, the question of liability may hinge upon whether the employees had a right to privacy for statements made online and whether the employer has a right to make disciplinary decisions based on an employee’s off-duty conduct.

Although legal commentators and privacy advocates debate how the trial will unfold when the case goes to trial later this summer, they all agree the case highlights real- world issues that can follow an individual’s seemingly innocent decision to post his or her thoughts on a social networking website. This is far from an isolated incident – indeed, the sports media recently reported a similar incident involving the Philadelphia Eagles’ termination of a long-time employee for disparaging the team’s management and its decision to release a prominent player on his Facebook page.  

While it is unclear if any of the companies in the cases above had a policy or provided instruction to their employees on these issues, it should not surprise you that increasingly business employers are finding they must do so. Clearly, before making decisions or taking action against employees for online, but off-duty conduct, employers should seek legal counsel from lawyers who understand these issues and can guide you in this dynamically evolving environment – where federal and state (and sometimes municipal or local) law may apply and little, if any, precedent currently exists. Worried? Need help? Need to understand more? Contact E. David Krulewicz or Cindy Schmitt Minniti or the Rimon lawyer with whom you work. 

Update:  Today, May 20th, after this story was posted, the U.S. House of Representatives also approved the bill regulating some common credit card and gift card industry practices. It is likely President Obama will sign the bill once it arrives on his desk.

Posted on

Digital Dilemma – How To Respond When Law Enforcement Knocks

The SEC shows up at your door asking for documents relating to options and securities granted for the past 10 years. Homeland Security Officers arrive at your plant asking to speak to several employees and asking for copies of employment records. State police, having confiscated laptop computers and CD-ROM files during a drug bust, show up at your door asking to compare database records since they suspect that identity theft or credit card fraud may be afoot. The Department of Justice wants to interview several of your employees, claiming some may have entered the United States on non-immigrant visas. Sound far-fetched? Probably not these days.

With the economy in turmoil, corporate officers on the defensive, immigration under attack, and money laundering, piracy, drugs, terrorism and Ponzi schemes making headlines almost every day, law enforcement and regulatory officials are under increasing scrutiny and increasing pressure to protect the public and get results. It doesn’t take much imagination to appreciate that during the course of a criminal investigation, the most compelling evidence often arises from third parties who aren’t even knowingly involved; airline, credit card, hotel, telephone, email and other records can often document the where, when and sometimes how of criminal activity.

From a civil law point of view, competitive pressures can lead to claims of economic espionage and theft of trade secrets, and antitrust issues can arise that will spawn litigation and the compelled disclosure of evidence. Indeed, any corporate executive or corporate lawyer who has ever been on the receiving end of a third party subpoena issued to them—innocent third parties—knows how burdensome and costly such requests for evidence can be, even if you aren’t a party to the lawsuit.

In a digital world, it is also far too easy to collect, maintain and copy vast amounts of information—information accessible with several keystrokes, available on easily transportable magnetic media. For corporations and their executives and managers, growing and often regular dilemmas must be confronted when law enforcement or regulators show up at the door and start asking questions or requesting information. Corporations have legal obligations involving compliance and cooperation with law enforcement and regulatory officials. But they also have responsibilities and legal obligations to their employees and their workplaces—and to their shareholders. If not done properly, cooperating with law enforcement and regulators can lead to lawsuits by employees, customers and, sometimes—if large amounts of time and money are expended because of improper or inadequate procedures—even shareholders. 

Continue reading “Digital Dilemma – How To Respond When Law Enforcement Knocks”

Posted on

France: Online Ads Could Lead to User Data ‘Merchandising’

In a report entitled “Targeted Online Advertising” (La Publicité Ciblée en Ligne), presented in February and recently released publicly, the French data protection regulatory authority (CNIL) has expressed concern that targeted online advertising could be a conduit for the merchandising of personally identifiable information about online users. 

The CNIL has been examining context-sensitive, behavioral marketing and targeted advertising mechanisms online, and is concerned about privacy implications. The report notes that analyzing online user data for the purpose of serving more relevant advertising involves the collection of Internet protocol addresses, what websites a user arrived from or subsequently visited, and even key words entered by the user. In case you haven’t thought about it, definitions are hardly uniform in laws and regulations around the world, i.e., an IP address is considered personal data in the EU, but is not personally identifiable information in the United States. 

The report raises an alarm over what could be a means of “systematic profiling” and examines what it believes are growing risks to privacy in this context. In France, and many jurisdictions, targeted advertising must comply with the same data protection rules that apply to the use of personal data online. The French authorities have consistently maintained that users should be specifically informed about how their data will be used, and should be given the opportunity to opt out of these uses—even if it means they can no longer use the services available on the site.

The report also specifically notes that many free services on the Internet are actually subsidized by advertising. While “free” is an accurate financial description in a literal sense, consumers often don’t appreciate they are actually paying a “price”—the value of personal information provided in exchange for “free” services they receive online. 

While the report does not attempt to cover mobile or wireless advertising broadly, it does note that adding information about a user’s location through GPS and other technology, adds tracking capability that the CNIL fears will allow for even greater intrusion and profiling of individual behavior. You can read the entire CNIL report in French on their website at “La publicité ciblée en ligne” (Targeted Online Advertising).

Posted on

FCC Issues Parental Controls’ Inquiry for Video and Audio

On March 3, 2009, the Federal Communications Commission (“FCC”) released a Notice of Inquiry to implement the Child Safe Viewing Act of 2007 (“CSVA”), which directs the FCC to examine advanced parental control technologies that would be compatible with various communications devices and platforms.

Click here to read the full alert, written by Amy S. Mushahwar, Judith L. Harris, and John P. Feldman.

Posted on

The War on Privacy Opens a New Front

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

Continue reading “The War on Privacy Opens a New Front”

Posted on

Cyber Attacks? It’s Not Just War Games Anymore

Is a cyber attack an act of war? Analysts reported that while the Russian military was acting against the Georgian republic, Georgian websites were also under attack. Cyber warfare can exploit security gaps to take control of civilian infrastructure, such as power grids, as well as government websites and military command and control operations. It has long been known that cyber-weaponry could supplement (and sometimes replace) traditional military activities. But when does a cyber-attack itself constitute an act of war? (We all appreciate the notion of “war” as a historical concept is and continues to change.) Tactics such as urban warfare, bioterrorism and suicide bombers have caused grave concern, not only over government’s ability to deter violent and damaging non-traditional acts of war, but also how to respond when they occur. A big challenge in the cyber warfare world is identifying who did it. In 2007, Estonia asked NATO to come to its defense when a cyber attack disabled government and bank websites. Apparently in 2008 we didn’t need a cyber attack to bring down some of our financial institutions (sorry, couldn’t resist). Question—how does one respond to a cyber attack—with bullets or chips?

Posted on

Data Breach. Cause for Alarm or a Big Yawn?

By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.

Posted on

Coping With COPPA

The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.

Posted on

Who Pays For the Data Security Breach?

Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that  agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.

Posted on

You Would Think They Would Know Better

Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.

The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.