Tag: employee privacy

Return to Work COVID-19 Testing Considerations

As employees increasingly transition back into the physical workplace, employers have begun to grapple with whether and how to deploy COVID-19 diagnostic testing as a return-to-work solution.  Many employers want to avoid extended employee quarantine or isolation requirements that prevent their employees from returning to the office for weeks and disrupt their operations.  But is this potential solution legal?  And is it effective?  Below we discuss practical considerations for employers considering a return to work COVID-19 testing strategy.

Is it Legal?

For the most part, yes.  While the Equal Employment Opportunity Commission (“EEOC”) has approved of COVID-19 diagnostic testing in the workplace generally, it has, as explained further below, recently modified its guidance to discourage its use as a return to work strategy.  Further, approaches vary widely across the states and localities that have taken a position on return to work testing.  For example, while Illinois permits its use, an ordinance in Dallas, Texas prohibits return to work testing.

Is it Effective?  

It depends.  Before mandatory vaccination becomes an option (which we wrote about here), requiring employees to test negative for COVID-19 before returning to work may at first glance seem like a reasonable way to ensure employee attendance while keeping the workplace safe.  For some employers, particularly those that are able to test frequently, quickly and accurately, this may be a sound approach.  But for other employers, they will have to weigh their options carefully.  Recent updated guidance from the CDC, employee complaints about the invasiveness of testing, and very real ongoing concerns about testing availability and accuracy may militate against pursuing a testing strategy at this time.

More specifically, recent guidance from the CDC discourages a test-based strategy as a primary solution finding that a symptom-based screening strategy is sufficient to identify when an individual with symptoms may return to work.  However, if an employer nevertheless decides to proceed with diagnostic testing as part of their COVID-19 mitigation strategy, the CDC recommends having employees test negatively twice with the two consecutive tests coming at least 24 hours, before returning to work.

State and local guidance does not necessarily provide additional clarity on how best to proceed.  For example New York State’s guidance only addresses situations where an employee experiences symptoms upon arrival at work or while at the office, advising that in those instances an employee may return to work with a single negative COVID-19 test (in contrast to the CDC’s recommended two consecutive negative tests).  But New York’s guidance does not currently address whether testing is a solution to a host of other scenarios – for instance, where an employee’s remote screening indicates recent symptoms, known exposure, or where an employee traveled to a place with significant community spread.  In those instances, the New York guidance does not incorporate testing as a return to work solution, instead asserting that individuals who have had known close contact with someone who has COVID-19 (i.e. within 6 feet of someone for ten or more minutes) should (1) isolate for 10 days from the onset of symptoms (if the individual has symptoms); or (2) isolate for 14 days from the date of exposure (if the individual does not have symptoms).  New York’s guidance also states that employees who test positive for COVID-19 must complete at least 10 days of isolation from the onset of symptoms or 10 days of isolation after the first positive test if they remain asymptomatic.

Putting all the guidance aside for the moment, testing may prove futile in many cases regardless.  First, COVID-19 reportedly can take 2-14 days after exposure to become identifiable in a diagnostic test, and thus, employees who test negative may return to work and later discover they have indeed been infected.  And in other cases, testing may prove futile if an employee cannot access a test readily, and thereafter receive their results in a timely manner, which effectively sidelines them from returning to the office anyway.  Further, there is also the possibility of a false negative, particularly when an employee takes a rapid test.  Other employer considerations include how COVID-19 testing, and the resulting disciplining of employees if they refuse to be tested, might affect overall employee morale.

Employers should consider these issues and weigh them against the vitality of other preventative measures such as whether an employee can telework or take a paid or unpaid leave in lieu of returning to work.  If the employee must return to work, employers should consider using other safety measures (whether in lieu of or in addition to testing), such as symptom/exposure questionnaires, temperature checks and workplace social distancing requirements.

What if an Employee Refuses to Take a Diagnostic Test? 

In selecting any of these options, employers should consider creating a policy or procedure that, among other things, discloses the circumstances under which an employee must take a test, the specific test or tests that the employer will accept, and the consequences of an employee’s refusal to be tested prior to returning to work.  Employers should also consider whether they will afford an employee the opportunity to take an unpaid leave of absence where they refuse to take a test in lieu of a disciplinary action.

Further, before resorting to disciplinary measures, employers should first consider the nature of the employee’s objection.  If the employee is simply annoyed or frustrated about the testing policy, disciplinary measures may be appropriate as the employees is failing to adhere to a company safety policy.  However, employers should evaluate whether the employee is asking for a disability accommodation, and if so, should consider alternative options to testing.

A Note about Isolation Practices and Employee Abuses.

In jurisdictions that do not require employees to isolate after potential symptoms or exposure, employers that need employees to work in the office may be turning to COVID-19 diagnostic testing as an alternative or supplement to isolation practices they consider impractical or prone to abuse.  Indeed, some employers are facing scenarios in which employees attempt to take advantage of company isolation policies in an effort to take extended time away from the workplace.

Employers facing this situation may consider implementing a diagnostic testing strategy (where permitted and feasible), but should also consider addressing the various employee abuse scenarios that might unfold and provide cautionary warnings to employees.  For example, New York, New Jersey, Massachusetts, and some other jurisdictions are requiring individuals who travel to certain states with troublesome COVID-19 metrics to quarantine for 14 days upon their reentry.  If an employee is planning travel to a “hot spot” on vacation to avoid returning to work, the employer should consider warning the employee that if they are unable to telework upon their return, they may be required to take additional paid time off or even unpaid leave.  Alternatively, employers facing operational difficulties if employers are away for multiple weeks may wish to revisit paid time off approval processes or condition approval of company-provided vacation time on an employee’s ability to return to work promptly after traveling.  In short, employers may have several options to address employees’ abuse of isolation rules that do not necessarily have to involve the implementation of diagnostic testing.

Final Considerations.

If an employer does decide to implement a testing strategy, it should ensure that its COVID-19 testing and screening protocols and policies adhere to relevant state and local guidelines, which vary greatly by jurisdiction.  Employers should further ensure they are tracking other practical aspects of testing.  For example, employers must safeguard employee medical records in accordance with Americans with Disabilities Act (“ADA”) requirements and the privacy requirements of various states and localities, which we discussed here.  When choosing a diagnostic test, employers must also ensure that the test is reliable and accurate – for instance, some rapid testing kits now entering the market may not meet the EEOC’s reliability and accuracy standards.  Similarly, any testing strategies must be uniformly applied so as not to cause disparate treatment amongst employees.  Employers should refer to the EEOC’s ADA guidance, which we discussed here, to ensure non-discriminatory application of testing policies.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

For more on COVID-19 Testing see the National Law Review Coronavirs News section.

Temperature Checks: Three Things to Know Before Screening Employees and Customers

As businesses begin the calculated process of re-opening their doors to employees and customers, many are considering implementing temperature checks to monitor for at least one known COVID-19 symptom – the fever.

Beyond nailing down the logistics of temperature checks (e.g., who will perform them, has that person been trained, do employees need to be paid while waiting in line, how will social distancing be maintained, etc.) there are several significant legal considerations that should be evaluated before implementation.

The Illinois Biometric Privacy Act

Some temperature screening devices utilize facial-recognition technology to quickly identify those with fever so that they can be promptly tracked down and removed from the facility. While these systems provide logistical advantages, especially to large employers and retailers, they likely implicate provisions of the Illinois Biometric Privacy Act (BIPA) which can lead to costly litigation and result in stiff penalties for anyone who violates the statute, even unwittingly.

According to BIPA, businesses utilizing this type of facial-recognition technology must obtain advance, written consent from the individuals to be scanned, and must also maintain a publicly available policy that specifies information regarding the collection, use, storage, and destruction of individuals’ biometric information. And, again, these policies and consents must be executed and implemented before temperature screenings begin. It is, therefore, critical to determine whether your temperature screening devices perform facial recognition scans or capture other biometric information.

Confidentiality of Employee Information

Employers screening employee temperatures must also remember they are conducting a “medical examination,” as defined by the Equal Employment Opportunity Commission (EEOC) and would be wise to adhere to the EEOC’s guidance on the issue. This means information collected about employees’ temperature, such as the temperature readings themselves, or the fact that an employee had or has a fever, must be treated as confidential medication information and maintained in a confidential file separate from an employee’s personnel file. Employers should also take care to not divulge the identity of any employee sent home with fever, absent consent from the employee to share that information with other personnel, or a strict need-to-know among involved supervisor(s) or members of human resources.

The California Consumer Privacy Act

California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), contains broad protection of consumers’ “personal information,” and requires businesses subject to the statute to, among other things, notify consumers when their personal information is being collected. Though body temperature is not explicitly mentioned in the statute, the definition of “personal information” is broad, and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer …” It includes biometric information. Whether an individual’s temperature constitutes personal information is up for some debate, but debates often lead to costly litigation, and it is easy enough to amend CCPA notices to include temperature until that debate is resolved in an effort to avoid litigation altogether.

So, if a business is subject to the CCPA and intends to collect employee or customer temperatures (whether or not with the use of biometric technology), it should consider updating its CCPA notices to include “temperature” (and, if applicable, scans of face geometry) to the list of personal information collected.

© 2020 Much Shelist, P.C.

For more employer COVID-19 guidance, see the National Law Review Coronavirus News section.

Can You Spy on Your Employees’ Private Facebook Group?

For years, companies have encountered issues stemming from employee communications on social media platforms. When such communications take place in private groups not accessible to anyone except approved members, though, it can be difficult for an employer to know what actually is being said. But can a company try to get intel on what’s being communicated in such forums? A recent National Labor Relations Board (NLRB) case shows that, depending on the circumstances, such actions may violate labor law.

At issue in the case was a company that was facing unionizing efforts by its employees. Some employees of the company were members of a private Facebook group and posted comments in the group about potentially forming a union. Management became aware of this activity and repeatedly asked one of its employees who had access to the group to provide management with reports about the comments. The NLRB found this conduct to be unlawful and held: “It is well-settled that an employee commits unlawful surveillance if it acts in a way that is out of the ordinary in order to observe union activity.”

This case provides another reminder that specific rules come into play when employees are considering forming a union. Generally, companies cannot:

  • Threaten employees based on their union activity
  • Interrogate workers about their union activity, sentiments, etc.
  • Make promises to employees to induce them to forgo joining a union
  • Engage in surveillance (i.e., spying) on workers’ union organizing efforts

The employer’s “spying” in this instance ran afoul of these parameters, which can have costly consequences, such as overturned discipline and backpay awards.

© 2019 BARNES & THORNBURG LLP

For more on employees’ social media use, see the National Law Review Labor & Employment law page.

Resist the Urge to Access: the Impact of the Stored Communications Act on Employer Self-Help Tactics

As an employer or manager, have you ever collected a resigning employee’s employer-owned laptop or cellphone and discovered that the employee left a personal email account automatically logged in? Did you have the urge to look at what the employee was doing and who the employee was talking to right before resigning? Perhaps to see if he or she was talking to your competitors or customers? If so, you should resist that urge.

The federal Stored Communications Act, 18 U.S.C. § 2701et seq., is a criminal statute that makes it an offense to “intentionally access[ ]without authorization a facility through which an electronic communication service is provided[ ]and thereby obtain[ ] . . . access to a[n] . . . electronic communication while it is in electronic storage  . . . .” It also creates a civil cause of action for victims of such offenses, remedied by (i) actual damages of at least $1,000; (ii) attorneys’ fees and court costs; and, potentially, (iii) punitive damages if the access was willful or intentional.

So how does this criminal statute apply in a situation in which an employee uses a personal email account on an employer-owned electronic device—especially if an employment policy confirms there is no expectation of privacy on the employer’s computer systems and networks? The answer is in the technology itself.

Many courts find that the “facility” referenced in the statute is the server on which the email account resides—not the company’s computer or other electronic device. In one 2013 federal case, a former employee left her personal Gmail account automatically logged in when she returned her company-owned smartphone. Her former supervisor allegedly used that smartphone to access over 48,000 emails on the former employee’s personal Gmail account. The former employee later sued her former supervisor and her former employer under the Stored Communications Act. The defendants moved to dismiss the claim, arguing, among other things, that a smartphone was not a “facility” under the statute.

While agreeing with that argument in principle, the court concluded that it was, in fact, Gmail’s server that was the “facility” for purposes of Stored Communications Act claims. The court also rejected the defendants’ arguments (i) that because it was a company-owned smartphone, the employee had in fact authorized the review, and (ii) that the former employee was responsible for any alleged loss of privacy, because she left the door open to the employer reviewing the Gmail account.

Similarly, in a 2017 federal case, a former employee sued her ex-employer for allegedly using her returned cell phone to access her Gmail account on at least 40 occasions. To assist in the prosecution of a restrictive covenant claim against the former employee, the former employer allegedly arranged to forward several of those emails to the employer’s counsel, including certain allegedly privileged emails between the former employee and her lawyer. The court denied the former employer’s motion to dismiss the claim based on those allegations.

Interestingly, some courts, including both in the above-referenced cases, draw a line on liability under the Stored Communication Act based on whether the emails that were accessed were already opened at the time of access. This line of reasoning is premised on a finding that opened-but-undeleted emails are not in “storage for backup purposes” under the Stored Communications Act. But this distinction is not universal.

In another 2013 federal case, for example, an individual sued his business partner under the Stored Communications Act after the defendant logged on to the other’s Yahoo account using his password. A jury trial resulted in a verdict for the plaintiff on that claim, and the defendant filed a motion for judgment as a matter of law. The defendant argued that she only read emails that had already been opened and that they were therefore not in “electronic storage” for “purposes of backup protection.” The court disagreed, stating that “regardless of the number of times plaintiff or defendant viewed plaintiff’s email (including by downloading it onto a web browser), the Yahoo server continued to store copies of those same emails that previously had been transmitted to plaintiff’s web browser and again to defendant’s web browser.” So again, the court read the Stored Communications Act broadly, stating that “the clear intent of the SCA was to protect a form of communication in which the citizenry clearly has a strong reasonable expectation of privacy.”

Based on the broad reading of the Stored Communications Act in which many courts across the country engage, employers and managers are well advised to exercise caution before reviewing an employee’s personal communications that may be accessible on a company electronic device. Even policies informing employees not to expect privacy on company computer systems and networks may not save the employer or manager from liability under the statute. So seek legal counsel if this opportunity presents itself upon an employee’s separation from the company. And resist the urge to access before doing so.

© 2019 Foley & Lardner LLP
For more on the Stored Communications Act, see the National Law Review Communications, Media & Internet law page.

Six Flags Raises Red Flags: Illinois Supreme Court Weighs In On BIPA

On January 25, the Illinois Supreme Court held that a person can seek liquidated damages based on a technical violation of the Illinois Biometric Information Privacy Act (BIPA), even if that person has suffered no actual injury as a result of the violation. Rosenbach v. Six Flags Entertainment Corp. No. 123186 (Ill. Jan. 25, 2019) presents operational and legal issues for companies that collect fingerprints, facial scans, or other images that may be considered biometric information.

As we have previously addressed, BIPA requires Illinois businesses that collect biometric information from employees and consumers to, among other things, adopt written policies, notify individuals, and obtain written releases. A handful of other states impose similar requirements, but the Illinois BIPA is unique because it provides individuals whose data has been collected with a private right of action for violations of the statute.

Now, the Illinois Supreme Court has held that even technical violations may be actionable.  BIPA requires that businesses use a “reasonable standard of care” when storing, transmitting, or protecting biometric data, so as to protect the privacy of the person who provides the data. The rules are detailed. Among other things, BIPA requires businesses collecting or storing biometric data to do the following:

  • establish a written policy with a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;
  • notify individuals in writing that the information is being collected or stored and the purpose and length of time for which the biometric identifier will be collected, stored, and used;
  • obtain a written release from the individual; and
  • not disclose biometric information to a third party without the individual’s consent.

The Illinois Supreme Court has now held that a plaintiff may be entitled to up to $5,000 in liquidated damages if a company violates any of these requirements, even without proof of actual damages.

In Rosenbach, the plaintiff’s son’s fingerprint was scanned so that he could use his fingerprint to enter the Six Flags theme park under his season pass. Neither the plaintiff nor her son signed a written release or were given written notice as required by BIPA. The plaintiff did not allege that she or her son suffered a specific injury but claimed that if she had known that Six Flags collected biometric data, she would not have purchased a pass for her son. The plaintiff brought a class action on behalf of all similarly situated theme park customers and sued for maximum damages ($5,000 per violation) under BIPA. The Illinois appellate court held that plaintiff could not maintain a BIPA action because technical violations did not render a party “aggrieved,” a key element of a BIPA claim.

In a unanimous decision, the Illinois Supreme Court disagreed. The court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” Even more pointedly, the court held that when a private entity fails to comply with BIPA’s requirements regarding the collection, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information, that violation alone – in the absence of any actual pecuniary or other injury—constitutes an invasion, impairment, or denial of the person’s statutory rights.

This decision – along with the 200 class actions already filed – shows how important it is for vendors and companies using fingerprint timeclocks or other technologies that may collect biometric information to be aware of BIPA’s requirements.

 

© 2019 Schiff Hardin LLP

Scan Your Practices: Illinois Supreme Court to Resolve Biometric Privacy Standard

Fingerprinting, retina scans, and voiceprints – practices once reserved for FBI agents, criminals, and Jason Bourne – are now widely used by companies of all sizes. These “biometric identifiers” are collected, often by employers, to provide for workplace efficiencies such as clocking time and ensuring secure access to sensitive locations. Or they may be used by businesses looking to track and identify customers. Whatever the case may be, collection and use of biometric identifiers are landing companies in legal hot water.

There has been a frenzy of class action lawsuits filed under the Illinois Biometric Information Privacy Act (BIPA) in recent weeks, in anticipation of a pending decision from the Illinois Supreme Court regarding the statute’s scope. BIPA provides a roadmap for how to lawfully gather, store, and destroy biometric data. When companies flout these requirements, they expose themselves to legal liability.

Compliance with BIPA is not terribly difficult. A private entity must: 1) develop a written policy, available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric data; 2) provide information to the subject in writing, and obtain a written release before collecting and using biometric information; 3) safely store and prevent disclosure or dissemination of the biometric data to unauthorized third parties; and 4) destroy the biometric data when there is no longer a reason for keeping it, or within three years of the individual’s last interaction with the entity, whichever comes first.

The statute provides that “any person aggrieved by a violation” of these rules can bring suit. The tricky question, which the Illinois Supreme Court will soon answer, is who is a person aggrieved? Is someone aggrieved if a private entity technically violates the statute, but does not otherwise cause harm to the individual through unauthorized dissemination or disclosure of his or her biometric data? If a company forgets to obtain written authorization, but otherwise posts appropriate notices and protects the security of the data, are its employees or customers aggrieved persons?

The answer once appeared favorable to companies. In Rosenbach v. Six Flags Entertainment Corporation, the Second District Appellate Court held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under BIPA. In other words, technical violations of the statute, without any accompanying harm, did not pave the way for litigation.

At the end of 2018, however, the First District Appellate Court, in Sekura v. Krishna Schaumburg Tan, Inc., signaled a more relaxed, plaintiff-friendly standard by agreeing that an injury to a privacy right may be enough to maintain a lawsuit. Though that case also involved allegations of actual harm (unauthorized disclosure of the data to third parties), it created a fissure and undermined whatever comfort came from knowing that technical violations alone would not produce viable lawsuits. And, while the federal courts sitting in Illinois continue to dismiss these cases for lack of constitutional standing, the majority of BIPA cases are filed and remain in state court, where state precedent controls. Companies will seldom find themselves in the more favorable federal venue.

Meanwhile, the plaintiffs in Rosenbach appealed to the Illinois Supreme Court, which heard oral arguments on this issue at the end of November 2018. The central question the court will soon answer is what type of harm must be alleged in order for a plaintiff to maintain suit under BIPA: Are allegations of mere technical violations enough, or must a plaintiff allege a more particular harm? BIPA aficionados across the state are waiting with bated breath to learn the answer.

In the meantime, companies would be wise to review their biometric data notification, collection, storage, and destruction practices. In many ways, regardless of Rosenbach’s outcome, companies need to be extremely vigilant in deciding whether to collect biometric data in the first place and, if so, in developing and implementing careful practices to ensure full compliance with BIPA. Even if the Illinois Supreme Court ultimately concludes that technical violations alone are not actionable, shrewd plaintiffs and their attorneys will not hesitate to articulate allegations of harm beyond mere technicalities. Now is the time to scan your practices.

 

© 2019 Much Shelist, P.C.
This post was written by Laura A. Elkayam and James L. Wideikis of Much Shelist, P.C.
Read more on emerging employment law issues at the National Law Review’s Employment Law Resources Page.

Wave of the Future or a Step Too Far? Wisconsin Company Offers Employees Microchip Implants, Employment Issues Abound

When wireless is perfectly applied the whole earth will be converted into a huge brain, which in fact it is, all things being particles of a real and rhythmic whole. We shall be able to communicate with one another instantly, irrespective of distance. . . . and the instruments through which we shall be able to do his will be amazingly simple compared with our present telephone. A man will be able to carry one in his vest pocket.

–Nikola Tesla, 1926

While we may now take Tesla’s connected world for granted, one cannot help but wonder what readers thought of his predictions in 1926 when he made the above statements in a magazine interview. It remains to be seen whether a similar pattern of skepticism, realization, and acceptance will eventually emerge regarding news that a vending machine company is offering its employees the opportunity to have microchips embedded in their hands to allow more convenient access to facilities, computers, and financial accounts.

The Wisconsin-based employer is reportedly the first in the United States to offer microchips (at a cost to the employer of $300 each) to employees on a voluntary basis. The microchip, roughly the size of a grain of rice, would be inserted into an employee’s hand between the thumb and forefinger, and could be used instead of a key to access buildings, log onto computers or printers, and even pay for goods in the company’s break room. It is not unlike fingerprint or other biometric technology that is becoming more widely used. In this case, however, the pertinent information is stored on the embedded microchip.

The company noted that in the future, the chip may also be able to store medical information or be used for transactions outside of the company. The chip’s technology is not, however, currently able to use GPS to track employees’ whereabouts.

Employers considering whether to implement such emerging technology may want to carefully assess whether the convenience outweighs the risks. Among the legal issues are the following:

Personal Privacy

While the company making headlines has stated that it will not use the technology to track its employees’ whereabouts (and the technology cannot currently support GPS monitoring), embedded microchips like this could create an electronic trail of the employee’s whereabouts whenever the employee is scanned to access secured locations.

Depending on where access points are installed, an employer could gain useful information, such as how long an employee spent in the break room, in the same vicinity as another employee who was allegedly harassed, or where material went missing. Further, having a record of frequent “check-ins” throughout the day as the employee accesses buildings, printers, computers, vehicles, etc. might aid in verifying time records for payroll purposes or compliance with delivery schedules and other customer expectations. This technology is already available to employers through access cards, login PINs, and other devices. The embedded chip would be another technology to use for that purpose, and it would be more difficult to trick the system with “buddy punches” and other surreptitious behavior with microchip technology. On the other hand, an employer could also theoretically confirm how long an employee spent in the restroom, at a union meeting, or complaining to human resources.

If embedded chips ever advance to the point of supporting GPS, a current body of case law regarding non-embedded GPS devices (like phones and devices installed on company vehicles) offers insights into potential legal risks. Companies use these technologies to track the whereabouts of employees, but that also gives companies information that could form the basis of a discrimination claim. For example, a company may learn that an employee is regularly at a medical clinic, which the employee might use to claim disability discrimination. Or, in Wisconsin where state law protects against discrimination based on the use or non-use of lawful products, the employer might learn that the employee spends a lot of off-duty time at the neighborhood bar, which could lead to a claim that the employee was discriminated against for using legal products while not on duty.

In addition, requiring GPS tracking of employees’ whereabouts is a mandatory subject of bargaining for unionized employees. Even for non-union employees, courts have found that employers go too far if they track employees’ whereabouts in places where employees would have a reasonable expectation of privacy (like their homes). Public employers face even greater risks in using GPS technology because courts have found that GPS technology may qualify as a search under the Fourth Amendment.

Data Privacy

Information from the chip (e.g., banking information and medical information) has value and could be the target of theft. Just as personal information could be hacked from other company databases and infrastructure, hacking may be a possibility with this new technology. Because the chip is provided by the employer, would the employer be liable for damages resulting from the misappropriation of stolen information? If an employer were negligent in implementing security protocols on the microchips, there could be litigation over the employer’s liability.

Workers’ Compensation

If an employee has a medical reaction from the implant or the procedure of implanting the chip (for example, developing an infection), there is a possibility that the medical reaction could give rise to a workers’ compensation claim because the chip was provided by the employer for work-related reasons.

Medical and Religious Accommodation

The employer in question here is not requiring employees to embed the chips, but requiring employees to do so would be difficult. Employees would likely have a right to opt out of the requirement based on medical or religious objections. It is not unlike requiring employees to get an annual flu vaccine. Some employees are medically unable and must be granted a medical accommodation under the Americans with Disabilities Act and applicable state laws (absent an undue hardship to the employer). Others may object on religious grounds and therefore qualify for accommodations on that basis.  At least one court has supported an employee’s right to decline on religious grounds far less invasive biometric access technology.

A Look Into the Future

While the microchips currently in use appear to serve limited purposes, it is not farfetched that the technology will continue to develop and allow new uses. Employees may be comfortable with the current use, but not with future uses. Clear communication with employees as to the capabilities and uses of the chip would be essential to minimizing legal risk.

Even more practically, the technology of the chip itself may become outdated or employees might leave their employment with the company and the company would need to determine what to do with the chip already embedded into the employee. This could create medical challenges in removing the chip or controversies with the employee over who has rights to the chip itself or is obligated to pay for its removal.

While the company at issue here has not made implanting a microchip a condition of employment, social, economic, and practical influences could leave employees with little alternative. Just like the convenience of direct deposit has made paper payroll checks virtually obsolete, so too the convenience of chip technology may render physical keys, identification badges, and similar access control measures a thing of the past. Why risk losing or forgetting your identification badge when you can guarantee the necessary data is with you at all times? Financially, it seems likely that an employer could offer an incentive to employees who make use of the chip technology much like auto insurance companies offer premium reductions to those who permit tracking of their driving habits. Many employers already offer shift premiums, are chip premiums on the horizon?

Ultimately, while this developing technology may certainly provide some added convenience and may not be all that significant a departure from our society’s current reliance on mobile devices, embedding a microchip into an employee’s body takes the invasiveness of the technology and the legal ramifications one step further and requires a thoughtful weighing of the risks versus the benefits.

More legal analysis is added daily at The National Law Review.

This post was written by Keith E. Kopplin  and Sarah J. Platt of Ogletree, Deakins, Nash, Smoak & Stewart, P.C..

No Expectation of Privacy in Emails Sent Over Employer’s Email Account, Massachusetts Court Decides

The National Law Review recently published an article by Martha J. Zackin of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding Employee Emails:

Does an employer invade an employee’s privacy by accessing and reviewing the employee’s email? A recent Massachusetts Superior Court decision, Falmouth Firefighters Union v. Town of Falmouth, answers “no.”

For a two year period, the town of Falmouth, Massachusetts, used Google Gmail for its email.  Falmouth entered into a contract with Google for use of Gmail, and the town purchased the domain names used for the email accounts.  Each town employee was given a Gmail address and was responsible for managing the email sent to his or her address.  Although Falmouth’s system did not save any emails on any computer, server, or disc, it was the administrator of the email accounts.  The Gmail accounts were widely used by Falmouth employees for personal communications.

Falmouth published an email policy stating that the town maintained the ability to access any messages on or transmitted over the email system.  “Because of this fact,” the policy stated, “employees should not assume that such messages are confidential or that access by the employer or its designated representatives will not occur.”  Although there was a dispute over whether this policy was subject to collective bargaining between the town and the union representing Falmouth employees, it was clear that employees were never told that their emails were confidential.

The emails to and from the account of a Falmouth firefighter were reviewed and copied during the course of investigating a charge of sexual harassment brought against the town by a former employee.  Some of these emails contained highly personal, intimate, and embarrassing emails.  The firefighter sued, claiming that Falmouth had invaded his privacy in violation of the Massachusetts Privacy Act, which provides that “[a] person shall have a right against unreasonable, substantial or serious interference with his privacy.”  To prevail, a plaintiff must show an expectation of privacy and an unreasonable and either serious or substantial interference with that privacy.

In a case of first impression, the Court found that the firefighter had no legitimate expectation of privacy in the emails and, therefore, no invasion of privacy.  In a very interesting analysis, the Court did not reach the issue of whether the town’s email policy was properly implemented or even relevant.  Rather, and importantly, the Court found that the firefighter “did not have a reasonable expectation of privacy in the emails he voluntarily sent over the Town’s email system absent any assurances that such communications were private or confidential.”

What does this mean for Massachusetts employers?   We continue to recommend that employers implement electronic communications policies that clearly and unequivocally state that the employer has the right to access and review any and all information sent, received, or maintained on any employer-owned or maintained electronic devices or systems.  However, at least in Massachusetts, the absence of such policies will not restrict the rights of employers to access employee emails.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.