Home | Articles | Privacy In The Businesses And Workplaces
Privacy In The Businesses And Workplaces
Privacy is a major issue for businesses and employers. Here’s why:
Introduction.
Thirty years ago, privacy laws got little attention. The first financial privacy lawsuit filed by an Attorney General occurred in 1999, prompting all sorts of discussion about the merits of privacy in commercial transactions. See Mike Hatch v. U.S. Bank; https://loriswansonlawsuits.com/bank-privacy. Today, with the widespread application of GPS systems, Browser tracking, cookies and data hacking, privacy has become a major point of discussion. But many businesses and people do not fully understand their rights.
In 2001, long before the dominance of Facebook, MySpace, Twitter, or the wisp of social media intruding on the privacy of everyday lives, Mike Hatch wrote an article entitled, “The Privatization of Big Brother: Protecting Sensitive Personal Information for Commercial Interests in the 21st Century”, William Mitchell Law Review, Vol. 27, Issue 3, https://open.mitchellhamline.edu/wmlr/vol27/iss3/8/. The article is quite prescient in predicting the Brave New World of digital marketing.
Breach of privacy can have severe consequences. A stolen laptop that contained patient data eventually started a chain of events, including a lawsuit by Lori Swanson, that resulted in the delisting of a New York Stock Exchange Company. Cities paid out money to people when employees illegally snooped at driver’s license data. Businesses ranging from Facebook to Hewlett Packard acknowledge penetration of their data systems by outside marauders.
Statuses. Federal laws relating to privacy include the Gramm-Leach-Bliley Act (GLBA), the Health Information Privacy Protection Act (“HIPPA”), the Children’s Online Privacy Protection Act, the Video Privacy Protection Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act (FACTA), the Drivers Privacy and Protection Act, the Stored Communications Act, the Federal Consumer Credit Card Protection Act, and the Electronic Communications Privacy Act. State laws include the Data Breach Notification Law, the Minnesota Fair Information Reporting Law, and the Disclosure of Credit Card Data Law. Businesses must figure out how to wade through and comply with the maze of state and federal privacy laws.
Common Law. A court can hold an employer financially liable if it fails to protect the confidential information of an employee or customer. Long before HIPAA, a Minnesota court determined that a physician has an implied contract, even though not in writing, not to release confidential patient information without the patient’s permission. Stubbs v. North Memorial Medical Center, 448 N.W.2d 78 (Minn. Ct. App., 1989.)
In at least one case, a Minnesota court ruled that invasion of privacy may occur where the Social Security numbers of several hundred employees were disseminated to managers of affiliated businesses in six states. Bodah v. Lakeville Motor Express, 649 N.W.2d 859 (Minn. Ct. App. 2002.) This invasion of privacy claim is premised on a “right to privacy present in the common law of Minnesota, including causes of action in tort for intrusion upon seclusion, appropriation, and publication of private facts.” Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231, 236 (Minn. 1998). In this case, a woman sued a film developer at Wal-Mart for distributing photos of her taken during Spring break in Mexico.
The law of privacy in the workplace and business setting is evolving with technology. Several of the points discussed below are not fully resolved and indeed differ depending on the privacy law of a particular state.
Personnel Records. Employees generally have a right to privacy in their personnel records. Employee personnel records often include information that employers must keep confidential, such as employee medical records, drug testing records, credit card information, social security numbers, and credit reports.
Social Security Numbers. An employer must keep the social security number of an employee confidential. Many states expressly limit and/or prohibit the use of all or part of social security numbers as computer passwords or employee ID numbers.
Email and Internet Usage. The courts generally have found no reasonable expectation to privacy by an employee regarding an employer-owned computer in which there was also a stated policy that the computer and its contents were not confidential. United States v. Angevine, 281 F.3d 1130 (10th Cir. 2002.) A court similarly found that password-protected personal folders on a company network accessed via a company computer did not carry privacy expectations. McLauren v. Microsoft Corp., 1999 Tex. App. LEXIS 4103 (Tex. App. 1999.) A court determined that searching an employer-owned computer at the employee’s home does not violate Fourth Amendment rights. TBG Insurance Services Corp. v. Superior Ct., 96 Cal. App. 4th 443 (Cal. Ct. App. 2002.) A court similarly found no privacy rights regarding employee e-mails on an employer’s computer network. Garrity v. John Hancock Mutual Life Insurance Co., 2002 U.S. Dist. LEXIS 8343 (D. Mass. 2002.) Having said all this, best practices generally suggest that notice be provided to employees in an employee handbook or employment contract regarding clearly setting forth the employer’s policy.
Browser Utilization. Courts and commentators have generally said that an employer has the right to track the websites visited by employees on employer-owned technology devices.
WebCam Embedding. The courts define a tort called “intrusion upon seclusion” as follows:
One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.
Courts have said that employers may generally not embed in a company-owned computer a webcam that can be activated from remote locations to monitor an employee without the knowledge of the employee. It is likely that a court would permit such a monitor in the cab of a truck, taxi or plane where the employer provides notice and can demonstrate a business purpose for the intrusion. At the same time, a court might not permit the embedding of a remotely-activated webcam if there was no business purpose, even if the employee had notice.
Social Media. About ten states have enacted legislation to prohibit employers from obtaining an employee’s username and passwords for social media sites. Minnesota has not enacted such a law. In Pietrylo v. Hillstone Restaurant Group, 2009 U.S. Dist. LEXIS 88702, a New Jersey court found an employer liable for damages when a manager coerced an employee into disclosing her user-name and password to social media sites.
Telephone Calls. Employees should generally receive notice if their phone calls may be monitored, their desks or lockers searched, or their e-mail read. Any monitoring of telephone calls should only be for business purposes and be terminated if the communication is of a personal nature. Employers should keep any information gathered through such an intercept be confidential.
Video Cameras. An employer’s use of video surveillance depends on whether the employee has a reasonable expectation of privacy. Surveillance in a parking garage or public area is acceptable, but surveillance in a private office or restroom may be an invasion of privacy.
Drug and Alcohol Testing. Minnesota employers may require a job applicant to undergo a drug and alcohol test if a job offer has been made to the applicant and the same test is required of all applicants who are offered employment for a similar position. An employer must provide the employee a copy of the employer’s written drug and alcohol testing policy, which must also be posted in conspicuous workplace locations. Before a test is administered, an applicant should sign an acknowledgment that he or she has read the policy and understands that passing the drug and alcohol test is a requirement of the job.
Polygraph Testing. Employers may not generally request an applicant or employee to take a polygraph, voice stress analysis, or any other test purporting to test the honesty of the person. This prohibition relates to tests that measure physiological changes but does not apply to written honesty tests. An employee may request a polygraph test but the employer administering the test must inform the employee that the test is voluntary.
Medical Records. Medical information about an employee should be kept separate from other employee records and access to such information should be severely restricted.
Background Screening. Employers who require background checks as part of the hiring or employment process should maintain the confidentiality of the background information received. There are various laws that restrict the type of background information (such as criminal history, finances, bankruptcy, etc.) that an employer can inquire into, as well as how far back in time an employer can look. Many states laws require an employee’s consent to get certain types of information. Some laws require notice if the information is used to make an adverse employment decision.
Protected Class Information. The employer should not seek or maintain data regarding an employee being a member of a protected class, such as data indicative of race, religion, national origin, age, gender, pregnancy, familial status, disability status or genetic information.
More than ever, businesses and employers need to be proactive when it comes to the handling of private information. Technology has changed the law of privacy. The law is particularly fluid as to an employer’s right to search an employee’s personal smartphone, tablet, or computer. Privacy law often boils down to one criterion: what is the reasonable expectation of the employee? When in doubt, employers and businesses should provide clear notice of their policies and procedures.
For more information, please contact former Minnesota Attorney General Lori Swanson or former Minnesota Attorney General and Commissioner of Commerce Mike Hatch at Swanson|Hatch, P.A. as follows:
www.swansonhatch.com
431 South Seventh Street, Suite 2545
Minneapolis, MN 55415 612-315-3037
The information provided in this article does not, and is not intended to, constitute legal advice. Instead, the content in this article is for general informational purposes only. Readers should contact an attorney to obtain advice with respect to any particular legal matter. Questions regarding privacy in an insurance agency can be directed to former Attorney General Lori Swanson at lswanson@swansonhatch.com or former Attorney General Mike Hatch at mhatch@swansonhatch.com. Because of the volume of inquiries, we ask that questions be sent by email, not on the phone. Once again, unless acknowledged by Ms. Swanson or Mr. Hatch in writing, no response by them to an email constitutes legal advice or establishes an attorney-client relationship.
Privacy is a major issue for businesses and employers. Here’s why:
Introduction.
Thirty years ago, privacy laws got little attention. The first financial privacy lawsuit filed by an Attorney General occurred in 1999, prompting all sorts of discussion about the merits of privacy in commercial transactions. See Mike Hatch v. U.S. Bank; https://loriswansonlawsuits.com/bank-privacy. Today, with the widespread application of GPS systems, Browser tracking, cookies and data hacking, privacy has become a major point of discussion. But many businesses and people do not fully understand their rights.
In 2001, long before the dominance of Facebook, MySpace, Twitter, or the wisp of social media intruding on the privacy of everyday lives, Mike Hatch wrote an article entitled, “The Privatization of Big Brother: Protecting Sensitive Personal Information for Commercial Interests in the 21st Century”, William Mitchell Law Review, Vol. 27, Issue 3, https://open.mitchellhamline.edu/wmlr/vol27/iss3/8/. The article is quite prescient in predicting the Brave New World of digital marketing.
Breach of privacy can have severe consequences. A stolen laptop that contained patient data eventually started a chain of events, including a lawsuit by Lori Swanson, that resulted in the delisting of a New York Stock Exchange Company. Cities paid out money to people when employees illegally snooped at driver’s license data. Businesses ranging from Facebook to Hewlett Packard acknowledge penetration of their data systems by outside marauders.
Statuses. Federal laws relating to privacy include the Gramm-Leach-Bliley Act (GLBA), the Health Information Privacy Protection Act (“HIPPA”), the Children’s Online Privacy Protection Act, the Video Privacy Protection Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act (FACTA), the Drivers Privacy and Protection Act, the Stored Communications Act, the Federal Consumer Credit Card Protection Act, and the Electronic Communications Privacy Act. State laws include the Data Breach Notification Law, the Minnesota Fair Information Reporting Law, and the Disclosure of Credit Card Data Law. Businesses must figure out how to wade through and comply with the maze of state and federal privacy laws.
Common Law. A court can hold an employer financially liable if it fails to protect the confidential information of an employee or customer. Long before HIPAA, a Minnesota court determined that a physician has an implied contract, even though not in writing, not to release confidential patient information without the patient’s permission. Stubbs v. North Memorial Medical Center, 448 N.W.2d 78 (Minn. Ct. App., 1989.)
In at least one case, a Minnesota court ruled that invasion of privacy may occur where the Social Security numbers of several hundred employees were disseminated to managers of affiliated businesses in six states. Bodah v. Lakeville Motor Express, 649 N.W.2d 859 (Minn. Ct. App. 2002.) This invasion of privacy claim is premised on a “right to privacy present in the common law of Minnesota, including causes of action in tort for intrusion upon seclusion, appropriation, and publication of private facts.” Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231, 236 (Minn. 1998). In this case, a woman sued a film developer at Wal-Mart for distributing photos of her taken during Spring break in Mexico.
The law of privacy in the workplace and business setting is evolving with technology. Several of the points discussed below are not fully resolved and indeed differ depending on the privacy law of a particular state.
Personnel Records. Employees generally have a right to privacy in their personnel records. Employee personnel records often include information that employers must keep confidential, such as employee medical records, drug testing records, credit card information, social security numbers, and credit reports.
Social Security Numbers. An employer must keep the social security number of an employee confidential. Many states expressly limit and/or prohibit the use of all or part of social security numbers as computer passwords or employee ID numbers.
Email and Internet Usage. The courts generally have found no reasonable expectation to privacy by an employee regarding an employer-owned computer in which there was also a stated policy that the computer and its contents were not confidential. United States v. Angevine, 281 F.3d 1130 (10th Cir. 2002.) A court similarly found that password-protected personal folders on a company network accessed via a company computer did not carry privacy expectations. McLauren v. Microsoft Corp., 1999 Tex. App. LEXIS 4103 (Tex. App. 1999.) A court determined that searching an employer-owned computer at the employee’s home does not violate Fourth Amendment rights. TBG Insurance Services Corp. v. Superior Ct., 96 Cal. App. 4th 443 (Cal. Ct. App. 2002.) A court similarly found no privacy rights regarding employee e-mails on an employer’s computer network. Garrity v. John Hancock Mutual Life Insurance Co., 2002 U.S. Dist. LEXIS 8343 (D. Mass. 2002.) Having said all this, best practices generally suggest that notice be provided to employees in an employee handbook or employment contract regarding clearly setting forth the employer’s policy.
Browser Utilization. Courts and commentators have generally said that an employer has the right to track the websites visited by employees on employer-owned technology devices.
WebCam Embedding. The courts define a tort called “intrusion upon seclusion” as follows:
- One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.
Courts have said that employers may generally not embed in a company-owned computer a webcam that can be activated from remote locations to monitor an employee without the knowledge of the employee. It is likely that a court would permit such a monitor in the cab of a truck, taxi or plane where the employer provides notice and can demonstrate a business purpose for the intrusion. At the same time, a court might not permit the embedding of a remotely-activated webcam if there was no business purpose, even if the employee had notice.Social Media. About ten states have enacted legislation to prohibit employers from obtaining an employee’s username and passwords for social media sites. Minnesota has not enacted such a law. In Pietrylo v. Hillstone Restaurant Group, 2009 U.S. Dist. LEXIS 88702, a New Jersey court found an employer liable for damages when a manager coerced an employee into disclosing her user-name and password to social media sites.
Telephone Calls. Employees should generally receive notice if their phone calls may be monitored, their desks or lockers searched, or their e-mail read. Any monitoring of telephone calls should only be for business purposes and be terminated if the communication is of a personal nature. Employers should keep any information gathered through such an intercept be confidential.
Video Cameras. An employer’s use of video surveillance depends on whether the employee has a reasonable expectation of privacy. Surveillance in a parking garage or public area is acceptable, but surveillance in a private office or restroom may be an invasion of privacy.
Drug and Alcohol Testing. Minnesota employers may require a job applicant to undergo a drug and alcohol test if a job offer has been made to the applicant and the same test is required of all applicants who are offered employment for a similar position. An employer must provide the employee a copy of the employer’s written drug and alcohol testing policy, which must also be posted in conspicuous workplace locations. Before a test is administered, an applicant should sign an acknowledgment that he or she has read the policy and understands that passing the drug and alcohol test is a requirement of the job.
Polygraph Testing. Employers may not generally request an applicant or employee to take a polygraph, voice stress analysis, or any other test purporting to test the honesty of the person. This prohibition relates to tests that measure physiological changes but does not apply to written honesty tests. An employee may request a polygraph test but the employer administering the test must inform the employee that the test is voluntary.
Medical Records. Medical information about an employee should be kept separate from other employee records and access to such information should be severely restricted.
Background Screening. Employers who require background checks as part of the hiring or employment process should maintain the confidentiality of the background information received. There are various laws that restrict the type of background information (such as criminal history, finances, bankruptcy, etc.) that an employer can inquire into, as well as how far back in time an employer can look. Many states laws require an employee’s consent to get certain types of information. Some laws require notice if the information is used to make an adverse employment decision.
Protected Class Information. The employer should not seek or maintain data regarding an employee being a member of a protected class, such as data indicative of race, religion, national origin, age, gender, pregnancy, familial status, disability status or genetic information.
More than ever, businesses and employers need to be proactive when it comes to the handling of private information. Technology has changed the law of privacy. The law is particularly fluid as to an employer’s right to search an employee’s personal smartphone, tablet, or computer. Privacy law often boils down to one criterion: what is the reasonable expectation of the employee? When in doubt, employers and businesses should provide clear notice of their policies and procedures.
For more information, please contact former Minnesota Attorney General Lori Swanson or former Minnesota Attorney General and Commissioner of Commerce Mike Hatch at Swanson|Hatch, P.A. as follows:
Mike Hatch: mhatch@swansonhatch.com
Lori Swanson: lswanson@swansonhatch.com
www.swansonhatch.com
431 South Seventh Street, Suite 2545
Minneapolis, MN 55415
612-315-3037
The information provided in this article does not, and is not intended to, constitute legal advice. Instead, the content in this article is for general informational purposes only. Readers should contact an attorney to obtain advice with respect to any particular legal matter. Questions regarding privacy in an insurance agency can be directed to former Attorney General Lori Swanson at lswanson@swansonhatch.com or former Attorney General Mike Hatch at mhatch@swansonhatch.com. Because of the volume of inquiries, we ask that questions be sent by email, not on the phone. Once again, unless acknowledged by Ms. Swanson or Mr. Hatch in writing, no response by them to an email constitutes legal advice or establishes an attorney-client relationship.