Adopting working privacy protections on company devices
The response to COVID-19 has the power to define how companies and their employees should operate in the work-from-home world.
The economic, cultural and societal impact of the COVID-19 pandemic — The Big Pause — will be incalculable. America will, quite literally, never be the same. Our economy will eventually be turned back on, but our business dealings will be different, our social interactions will be different, the way we go about our daily lives will be different.
The new normal won’t be like the old normal. At all.
No one can precisely know how much our work habits will be affected, but this much is certain: The Big Pause in all its repercussions will forever alter our workforce. Once we stop pausing, we need to update our working-from-home policies and overhaul our commitment to employee privacy rights.
Updating policies
Most working Americans are currently quarantined in their houses. They’re using either personal devices or company-issued devices, without clear regulations on privacy. Indeed, it’s been nearly 35 years since Congress adopted consumer privacy protections in the Electronic Communications Privacy Act of 1986. To put that into perspective, the first smartphone wasn’t invented until 1992.
So, we’ve essentially had two generations of workers using cell and smartphones for business purposes without a clear articulation of where their employers’ rights “stop” — and where their individual privacy rights “start.”
If properly handled, the response to COVID-19 has the power to define how companies and their company-device wielding employees should operate in our brave new work-from-home world. Without clear data privacy laws, however, America is inviting a wave of thorny litigation and withering security risks.
Look no further than Paul Iacovacci, who used a company-issued computer at his home that was maliciously hacked by his employer. In addition to pilfering private emails, the company got access, without Iacovacci’s knowledge, to deeply personal data, including religious and family information and data stored on personal hard drives. Iacovacci’s lawsuit alleges his employer’s actions violated federal antihacking laws, specifically the Computer Fraud and Abuse Act (CFAA), which prohibits intentionally accessing a computer “without authorization or in excess of authorization.” His employer’s behavior is the precise kind of corporate recklessness proscribed by California’s new Consumer Privacy Act.
If in the future Americans will have to spend more time teleworking — and that’s almost certainly the case — security risks will only escalate. In a time of fully connected devices, streamlined password sync, and blurred lines between personal and professional time, company BYOD-policies must be strengthened to educate employees and equip employers once we transition out of The Big Pause.
Given today’s blurred lines between “work” and “home” and the fact that businesses often own the digital devices used by their employees, it’s not a surprise that legal strains would arise over the rights of employers vs. their workers and executives. What is a surprise is that it’s taken Congress so long to catch up with technology and work trends.
New federal legislation, therefore, needs to address the following:
Determine the point at which a company’s claim to “control” over its devices ends—and an employee’s equally legitimate claims to privacy begin? Another legitimate concern for employers is to the extent employees utilize company property for personal use, does such use of employer property “waive” their expectation or right to privacy?
Enforce criminal sanctions on companies that willfully invade a worker’s privacy. Several civil laws already exist to protect worker privacy — among them the Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), the Whistleblower Act, and the 1986 Electronic Communications Privacy Act (ECPA) — in some form, but need to be updated, given technological developments.
Expand the ECPA protections. As amended, ECPA protects wire, oral, and electronic communications, at least while those communications are being made or when they’re stored on computers. It expressly prohibits employers from monitoring employees’ personal phone calls even if the calls were made or received on an employer’s property. The act also requires the employer to disclose the fact that calls are being monitored and makes it a civil liability for employers to read, disclose, delete, or prevent access to an employee’s voicemail.
Update errors and omissions laws, and the whole sweep of professional liability issues that safeguard companies and their professionals against negligent or defective work.
While Congress is strengthening worker privacy rights, it must also assess California’s tough new privacy statute and determine how it will factor into the setting of new national standards on privacy.
Employers, meanwhile, must observe their employees’ continued right to privacy, including under ADA, HIPAA, and/or relevant state and local laws, while maintaining a safe and healthy workplace.
Many types of monitoring are legal; most employers monitor their employees’ activities on some level. Many technologies allow employers to observe their employees’’ “digital footprints” and thereby gain insight into employee behavior.
In fact, a 2005 survey of more than 500 U.S. companies found that over half of employers had disciplined employees and about one in four had terminated (fired) an employee for “inappropriate” use of the internet, such as sending an inappropriate email message to a client or supervisor, neglecting work while chatting with friends, or viewing pornography during work hours.
Nearly any activity on your office computer can be monitored, almost completely without regulation. The employer may watch, read, and listen to most of the employee’s workplace communications. Employees need to be mindful that when they use an employer’s equipment, their expectations of privacy should be diminished. It is essential, therefore, that employers maintain and update their monitoring policies and that they be well-documented, well-defined, and require written acknowledgement by employees. In other words, they need to clearly state that employees should not expect privacy when they use their employer’s resources or on their employer’s property.
Congress also needs to address limiting the information a company gathers on employees to the bare minimum needed for “legitimate business reasons,” as well as its disabling tracking capabilities whenever they’re not needed. Too many companies are needlessly and recklessly tracking their employee’s whereabouts and behaviors.
Some 30 states and the District of Columbia have adopted laws that discourage or prevent companies from firing employees for their “off-duty” conduct. As more and more companies find themselves in legal hot water for getting crosswise with these state statutes, a good rule is: “Don’t collect what you can’t protect.”
Our new post-pandemic “normal” must include a renewed commitment to worker privacy rights — and a Congress that resolves to keep in step with technological developments and their impact on privacy.
Karen Hertz, Esq. is a labor and employment attorney and owner of Hertz Legal, PC. Opinions expressed here are the author’s own.
Related: