You may have seen the article making the rounds recently about the Facebook® post that cost a Florida man $80,000. For those unfamiliar with the story – or for those who didn’t make it past the headline – a Florida appeals court found that a school headmaster violated the terms of a confidential age discrimination settlement after his daughter mentioned the settlement on Facebook®. As a result of the disclosure, the headmaster forfeited the $80,000 settlement payment.
While many may have had a chuckle at the man’s expense, and others have worried about what disclosures their own children may have made online, it is important to remember that your organization likely has similar confidentiality obligations and that an inadvertent disclosure could result in legal and financial liability. For example, if the headmaster’s employer was also bound by the confidentiality clause and an employee disclosed the settlement terms on his or her Facebook® page, the headmaster may have been allowed to keep both the settlement payment and his right to bring a claim. If your organization has confidential agreements with clients or vendors, an inadvertent disclosure could be a breach of the contract, leading to damages. Likewise, the disclosure of information revealed in an investigation, or other sensitive employee information, could jeopardize the investigation or even result in a violation of state or federal law.
As this case highlights, inadvertent disclosures, whether online or in some other forum, can prove costly. As a result, companies should take proactive steps to prevent such disclosures. For instance, companies should put physical and electronic safeguards in place to protect sensitive information, only disclose sensitive information to employees with a need to know, and if such information is disclosed, ensure that employees understand their obligations to keep confidential information confidential. In addition to periodic training on safeguards to prevent disclosures (e.g., unsecured wifi at coffee houses should not be used for confidential emails), companies may consider instituting or revising their confidentiality policies and agreements to provide further protection.
If you have not recently reviewed your policies or agreements or if you have none in place, now is the time to take action, especially given our previously announced offer to provide a complimentary review of your company’s confidential information policies and practices.
Article written by attorney Sean Libby of Worklaw® Network firm Elarbee Thompson (www.elarbeethompson.com)
In the CA Attorney General Opinion 12-1101 the question presented was “Does continuous videotaping surveillance of truck drivers during their on-the-job driving constitute a misdemeanor under Labor Code section 1051 where the video file is inspected by a third party and used as a basis for discipline by the driver’s employer?” In short, the conclusion was “no.”
Labor Code Section 1051 was written one hundred years ago to prevent blacklisting of employees using photos and fingerprints managed by third party entities. More recently Vehicle Code Section 26708 added a provision intended to allow employers to use video surveillance of drivers for safety purposes. In relevant part it says:
(13) (A) A video event recorder with the capability of monitoring driver performance to improve driver safety, which may be mounted in a seven-inch square in the lower corner of the windshield farthest removed from the driver, in a five-inch square in the lower corner of the windshield nearest to the driver and outside of an airbag deployment zone, or in a five-inch square mounted to the center uppermost portion of the interior of the windshield. As used in this section, “video event recorder” means a video recorder that continuously records in a digital loop, recording audio, video, and G-force levels, but saves video only when triggered by an unusual motion or crash or when operated by the driver to monitor driver performance.
(B) A vehicle equipped with a video event recorder shall have a notice posted in a visible location which states that a passenger’s conversation may be recorded.
(C) Video event recorders shall store no more than 30 seconds before and after a triggering event.
After examining these statutes and relevant case law the AG reached this opinion:
Continuous videotaping surveillance of truck drivers during their on-the-job driving does not constitute a misdemeanor under Labor Code section 1051 where the video file is inspected by a third party and used as a basis for discipline by the driver’s employer, provided that the third party is an agent of the driver’s employer who is videotaping and inspecting the file for the sole benefit of the driver’s employer, and that the file is furnished only to the driver’s employer.
There was one cautionary note:
If the third-party contractor had an additional purpose of furnishing the videotape to someone other than the employer, or if the employer had an additional purpose of subsequently furnishing the videotape to another employer and the tape “could be used to the detriment of” the employee, our conclusion might be different. But we have not been presented with facts indicating such an additional purpose.
Bottom line: Video surveillance whether at work or on the road will always pit privacy rights against an employer desire to create a safe or secure environment. The law in most all states will ask employers to identify the safety or security need, think of the least intrusive viable solution and then inform the employees of the monitoring and you should be good to go!
According to a Department of Health and Human Services investigation, AHP committed the following errors:
- AHP impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
- AHP failed to assess and identify the potential security risks and vulnerabilities of EPHI stored in the photocopier hard drives.
- AHP failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives.
Without admitting any fault they agreed to pay a handsome penalty. To see the Resolution Agreement click here.
Bottom line: Good risk management practices considers a wide range of exposures and risk that can be created by surrounding technologies (i.e. copiers, internet, social media, storage, disposal) and based on various information sources (financial or health information, trade secrets, R&D, etc.).
Forecasters predict that the amount of information companies have to manage will quadruple in the next ten years. Data management and security protocols are a growing risk management concern. Companies need to protect proprietary and confidential information including everything from their latest designs, internal communications, client data, marketing strategies, financial information, and the list goes on. Fact is, every aspect of your operations has information and data attached to it that competitors or worse would love to have access to. What can and should a company do to help manage this ever growing risk?
- Make sure you have cyber-liability and other insurance coverages to cover against these losses.
- Do a complete assessment of the most important risks. Not all are weighed equally. Make sure there is someone fully responsible for managing each one of those risks.
- Make sure you know where the information flows and who has access to it. Chances are, your employees have access to more information than they need to.
- Have protocols surrounding all information devices including servers, desktops, laptops, and mobile devices, video conferencing, online chats, and social media platforms.
- Train your employees on the risk associated with not properly managing this information or data.
- Hire a third party service to check your vulnerabilities.
- Employ today’s technologies to help better manage data. For example, Symantec and Web Sense are the leaders in data loss prevention. Their software is often used to prevent social security and credit card numbers from leaving a company.
- Have protocols around the use of social media. HR That Works members should take a look at the Social Media Training Module and related tools.
- Have clear protocols about people who are telecommuting to work or are third-party vendors.
- Make sure how you manage the departure of terminated or defected employees. Of course, you can have non-compete and confidentiality agreements as well as taking a checklist approach to making sure all equipment, passwords, etc. have been collected. If necessary you can employ counsel to file an injunction against use of any confidential information.
- Don’t forget about low-tech espionage including dumpster divers and the Xerox machine.
These suggestions are just a start. You should conduct an extensive risk management and technology assessment and there are plenty of vendors willing to help you with that effort.