Six Things to Know About New York’s New Employer Notification Requirements for Electronic Monitoring of Employees

Under an amendment to the New York Civil Rights Law that will take effect on May 7, 2022, private-sector employers that monitor their employees’ use of telephones, emails, and the internet must provide notice of such monitoring. The following provides highlights of the new law.

Question 1. Which employers and electronic monitoring activities are covered?

Answer 1. The law applies to any private individual or entity with a place of business in New York, and it broadly covers “telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems [that] may be subject to monitoring.”

Q2. Are any electronic monitoring activities exempted from coverage?

A2. The law does not cover processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone, voice mail or internet usage,” and it also does not apply to processes “that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual.” The law also exempts processes that are “performed solely for the purpose of computer system maintenance and/or protection.”

Q3. What are some of the law’s compliance obligations?

A3. Private-sector employers that “monitor[] or otherwise intercept[] [employee] telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage” must post a notice of electronic monitoring in a “conspicuous place which is readily available for viewing” by affected employees. Employers also must furnish new employees with written notice when they are hired. The law requires that newly hired employees acknowledge receipt of the notice, “either in writing or electronically.”

Q4. What information must be included in the notices?

A4. Under the law, employers are required to notify employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system” may be subject to monitoring “at any and all times and by any lawful means.” The law requires that the written notice advise employees that the electronic devices or systems that may be subject to monitoring include, but are not limited to, “computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems.”

Q5. What are the penalties for violations of the law?

A5. The law provides for the imposition of civil penalties for violations of its requirements. Employers found to be in violation of the law are subject to civil penalties of $500 for a first offense, $1,000 for a second offense, and $3,000 for a third offense and for each subsequent offense. The Office of the New York State Attorney General will enforce the law.

Q6. Are there similar requirements in other jurisdictions?

A6. Connecticut and Delaware also require employers to provide notification of electronic monitoring. As the requirements of these laws vary slightly from New York’s law, employers doing business in either or both of these states and in New York may wish to consider whether to adopt a single approach, or adopt approaches tailored to each jurisdiction’s requirements.

Key Takeaways

New York employers that have not already taken action to comply with this new law may wish to consider whether to post physical notices in the workplace or utilize electronic postings that are visible upon logging in to the employer’s computer, or both.

Employers may also wish to determine how to incorporate the required notice to new employees in their new-hire and onboarding systems. Employers that address electronic monitoring in existing policies may also wish to review the existing policies to ensure that the information in those policies is consistent with the nature of the notification required by the new law, and update existing policies if warranted.

Employers may also wish to consider whether to obtain written or electronic acknowledgments of electronic monitoring from current employees. In addition, employers may wish to evaluate the potential for challenges to the use of information obtained through electronic monitoring absent compliance with the notice requirements.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more articles about labor laws, visit the NLR Labor & Employment section.

Theft of Employee Data from Third-Party Vendor Exposes Employer and Vendor to Privacy Class Action

The National Law Review recently published an article by Kevin M. McGinty of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding Employee Data Theft:

A recently-filed class action lawsuit asserts claims against the Winn-Dixie supermarket chain and a third-party vendor, Purchasing Power, LLC, in connection with the alleged theft of employee data provided to Purchasing Power in order to administer a discount purchasing program offered to Winn-Dixie employees.  The claims advanced against Winn-Dixie and Purchasing Power highlight the potential risks associated with sharing employee or customer data with third party vendors, and underscore the need for companies to ensure that the data security practices of third-party vendors are consistent with those of the companies themselves.  The complaint also demonstrates how failure to make prompt disclosure of data breaches to affected individuals can increase the risk of class action litigation.

According to the complaint in Burrows v. Purchasing Power, LLC, Case No. 1:12-cv-22800 (S.D. Fla.), Winn-Dixie either transferred or permitted Purchasing Power to access personally identifiable information (“PII”) of Winn-Dixie employees for the purpose of making a discount purchasing program available to Winn-Dixie’s employees.  The complaint alleges that Winn-Dixie notified employees on January 27, 2012 that Winn-Dixie employee data had been inappropriately accessed by an employee of Purchasing Power.  The notice further stated that Winn-Dixie first learned of the data theft in October 2011.  According to the complaint, Winn-Dixie did not explain the reason for its delay in providing notice, and Purchasing Power has never, at any time, provided notice of the breach to Winn-Dixie employees.

One unique aspect of Burrows that distinguishes it from the typical privacy class action is an allegation that the named plaintiff suffered actual injury by reason of a data breach.  Specifically, plaintiff alleges that the Internal Revenue Service refused to accept his 2011 federal income tax return, stating that a return had already been filed in his name.  Plaintiff claims that someone who had access to the PII stolen from Purchasing Power filed the return, thereby depriving plaintiff of an anticipated refund.  He seeks damages associated with the lost refund, in addition to other damages associated with the risk of further misuse of his PII.

The complaint asserts claims for negligence, violation of the federal Stored Communications Act, 18 U.S.C. § 2702, violation of the Florida Unfair and Deceptive Trade Practices Act, and breach of the common law right to privacy.  Plaintiff asserts these claims on behalf of a putative class of all Florida employees of Winn-Dixie whose PII was provided to or accessed by Purchasing Power.

The complaint in Burrows has some evident flaws.  The Stored Communications Act only applies to conduct by entities such as Internet service providers that are engaged in the “provision to the public of computer storage or processing services by means of an electronic communications system.”  18 U.S.C. § 2711(2).  Neither the defendants nor the conduct alleged facially meet this requirement.  Further, the particularized harm allegedly suffered by the named plaintiff allows defendants to argue that determining whether class members suffered actual injury would raise highly individualized questions of fact that preclude certification of a plaintiff class to seek money damages under Fed. R. Civ. P. 23(b)(3).

Nonetheless, certain aspects of Burrows pose challenges for the defendants.  Where, as here, the data breach allegedly resulted from a targeted effort to steal PII – unlike cases involving thefts of laptops, in which any data theft is incidental – courts have been more receptive to claims that class members’ costs to mitigate risk of identity theft constitute cognizable injury.  The actual injury allegedly suffered by the named plaintiff supports the argument that the threat of misuse of the stolen data is not speculative and, therefore, warrants monetary and injunctive relief.

Burrows provides a timely reminder that it is critical that any company that shares customer or employee PII with a vendor must ensure that the vendor can adequately protect such data.  Executing a written agreement specifying the company’s and the vendor’s respective data security obligations is a necessary, but not sufficient step.  The contract will not be worth the paper on which it is written if the vendor lacks the capability to comply with its obligations.  Individuals responsible for the company’s data security practices must engage in sufficient due diligence to assure the company that the vendor’s data security practices are at least commensurate with the company’s practices and otherwise comply with the legal requirements of all applicable states and jurisdictions.  In addition, to provide proper incentives to adhere to contract requirements, the agreement should indemnify the company for any losses caused by the vendor’s failure to satisfy its data security obligations.

Finally, Burrows illustrates the critical importance of prompt notification whenever a data breach occurs.  If plaintiff was indeed victimized by someone who filed a bogus return using the plaintiff’s stolen PII, notice to employees in October 2011, perhaps combined with proactive steps to protect affected employees from misuse of data, might have forestalled such an injury.  Absent such an occurrence, it is unlikely that a lawsuit would ever have been filed.  Ultimately, providing prompt notice whenever a data breach occurs avoids violating state law notice requirements and discourages the filing of class action lawsuits.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.