Employee Privacy

Reminder: Restrictions on Accessing Employee Personal Accounts Takes Effect March 12, 2024

March 7, 2024

By Kali R. Schreiner

As a reminder, beginning March 12, 2024, Labor Law 201-i prohibits employers from requesting, requiring or coercing an employee or job applicant to: (i) disclose a username and password or other login information in order to access a personal account; (ii) access a personal account in the employer’s presence; or (iii) reproduce information contained within a personal account through unlawful measures. This new legislation also prohibits an employer from discharging or disciplining an employee or refusing to hire an applicant for failure to disclose such information.

The legislation is subject to certain exceptions and limitations. For example, an employer may require disclosure of information to access nonpersonal accounts that allow admission to “the employer’s internal computer or information systems.”[1] Employers may also view, access and rely on information that is publicly available.

The law also sets forth certain notice and acknowledgement requirements which employers must closely review. Specifically, under Section 5(i), an employer may obtain login information for accounts provided by the employer where the account is used for business purposes and the employee was provided prior notice of the employer’s right to inquire about such information. An employer is also permitted to access an electronic communications device which is “paid for in whole or in part by the employer where the provision of or payment for such device was conditioned on the employer’s right to access.”[2] However, the employee must have received prior notice of the condition and explicitly agreed to it. Nonetheless, the employer is prohibited from accessing any personal accounts on the device.

This law excludes law enforcement agencies, fire departments and departments of corrections and community supervision.

If you have any questions regarding the NLRB’s new rule, please contact Kali Schreiner, any attorney in Bond’s labor and employment practice or the Bond attorney with whom you are regularly in contact.

[1] N.Y. Lab. Law § 201-i (2)(b).

[2] Id. at § 201-i (5)(iii).

NLRB General Counsel Issues Memo on Electronic Monitoring, Artificial Intelligence and Employee’s Section 7 Rights

November 10, 2022

With the proliferation of remote work options in today’s post-pandemic world, employers’ electronic monitoring of their employees’ daily activities has become more routine. On October 31, the National Labor Relations Board (Board) general counsel (GC) released a new memo cautioning against the potential violations of Section 7 of the National Labor Relations Act (Act) that use of such electronic monitoring may raise by “significantly impairing or negating employees’ ability to engage in protected activity and keep that activity confidential from their employer[.]” The GC announced intent to urge the Board to “zealously enforc[e]” existing Board precedent in this context and protect employees rights “to the greatest extent possible.”

Read More >> NLRB General Counsel Issues Memo on Electronic Monitoring, Artificial Intelligence and Employee’s Section 7 Rights

NYS Launches Sexual Harassment Hotline

July 20, 2022

By Theresa E. Rusnak

On July 19, 2022, Gov. Kathy Hochul announced the launch of a statewide hotline for employees who believe they have been sexually harassed in the workplace. This announcement follows several pieces of legislation1 passed in March 2022, in which sexual harassment protections for employees were expanded. As part of the legislation, the New York State Division of Human Rights was directed to establish a toll-free, confidential hotline for complainants of workplace sexual harassment. Employees can call the hotline and receive advice on their legal rights as applied to their specific circumstances from attorneys, who staff the hotline pro bono. As of July 20, 2022, the hotline is operational from 9 a.m. to 5 p.m., and can be reached at 1-800-HARASS-3 (1-800-427-2773).

Read More >> NYS Launches Sexual Harassment Hotline

Mark Your Calendars: One Month Until New York’s Law Requiring Notice of Electronic Monitoring of Employees Goes into Effect

April 7, 2022

By Amber L. Lawyer, Shannon A. Knapp, and Gianelle M. Duby

New York entities have one month to prepare required notices to employees for certain types of electronic monitoring. On Nov. 8, 2021, Gov. Hochul signed into law an amendment to the New York Civil Rights Law, that requires any private individual or entity with a place of business in the state to provide notice to employees for certain types of electronic monitoring. The law goes into effect on May 7, 2022, pushing employers to determine the scope of their electronic monitoring activities and begin updating their policies and issuing notices to ensure compliance with the new law’s requirements prior to its effective date.

Read More >> Mark Your Calendars: One Month Until New York’s Law Requiring Notice of Electronic Monitoring of Employees Goes into Effect

Court Permanently Enjoins New York from Enforcing Employee Reproductive Rights Notice Provision

April 6, 2022

By Gianelle M. Duby

On March 29, 2022, a federal court in Upstate New York permanently enjoined New York State from requiring employers to include a government-issued “notice” of workers’ rights and remedies in their employee handbooks regarding reproductive health decisions.

Read More >> Court Permanently Enjoins New York from Enforcing Employee Reproductive Rights Notice Provision

New York Enacts Law Requiring Employers to Provide Notice of Electronic Monitoring

November 19, 2021

On Nov. 8, 2021, New York Gov. Kathy Hochul signed a bill amending New York’s Civil Rights Law by adding a new section that requires employers to give prior written notice of any electronic monitoring to employees upon hire. The law takes effect on May 7, 2022. The law applies to all private sector employers in New York, regardless of the size of the employer. 

Read More >> New York Enacts Law Requiring Employers to Provide Notice of Electronic Monitoring

New York Court of Appeals Issues Decision Addressing Public Access to Police Personnel and Disciplinary Records

March 17, 2019

By Christopher T. Kurtz

On December 11, 2018, the New York Court of Appeals issued a decision (over two dissenting opinions) addressing public access to police personnel and disciplinary records.  The Court held that certain personnel records sought by the New York City Civil Liberties Union (“NYCLU”) pursuant to the Freedom of Information Law (“FOIL”) are exempt from disclosure under New York Civil Rights Law § 50-a and New York Public Officers Law § 87(2)(a).  In doing so, the Court affirmed the decision of the Appellate Division, First Department, and the broad applicability of Civil Rights Law § 50-a to requests for police personnel/disciplinary records.

Read More >> New York Court of Appeals Issues Decision Addressing Public Access to Police Personnel and Disciplinary Records

Employers May Be Liable for the Release of Employees' Personally Identifying Information in Data Breaches

December 5, 2018

By Nicholas P. Jacobson

It seems that reports of hackers breaching a business’s security measures to obtain customer information appear on an almost weekly basis.  Unfortunately, businesses need to worry not only about the unauthorized access of customer data by hackers, but also the unauthorized access of sensitive employee information as well.

Read More >> Employers May Be Liable for the Release of Employees' Personally Identifying Information in Data Breaches

Preventing Unauthorized Access to and Disclosure of Confidential Employee Information

April 14, 2016

By Jessica C. Moller
Inherent in all employment relationships is the fact that employers are privy to all sorts of confidential information about their employees.  For example, in order to do something as simple as paying an employee’s wages, an employer will generally need to know the employee’s social security number, and, in cases of direct wage deposit, will also need to know the employee’s bank account information.  Employers also often come into possession of confidential medical information in connection with employees’ requests for medical leaves of absence under the Family and Medical Leave Act, or when engaging in the “interactive process” with disabled employees who have requested accommodation for their disabilities. Because employers are necessarily privy to confidential employee information, they are also inherently at risk for unauthorized disclosure of such information to others.  Especially with all of the news in recent months about consumer and employee data breaches, employers should question whether the security measures they have in place to protect private employee information are actually sufficient. But even those employers who have generally taken appropriate security measures are not necessarily immune from potential liability and are still at risk for potential disclosure of confidential information.  Take, for example, the situation where an employer, who has otherwise implemented appropriate controls to protect confidential information, is undergoing maintenance of its IT system, and during the maintenance process certain file access restrictions are temporarily disabled.  That is precisely the situation that occurred in Tank Connection, LLC v. Haight, a case that was decided by the U.S. District Court for the District of Kansas on February 5, 2016. The employer in Tank Connection, a manufacturer of above-ground storage tanks with approximately 300 employees, was like many other employers with regard to how it limited employee access to its IT systems:  “Each employee's computer was password protected.  Access to data on the server was controlled by user-account privileges (Microsoft Active Directory).  The user accounts were set up with standard authentication practices including user name and password.”  The company also had certain IT directories and files that were only accessible to Tank Connection’s president and network administrator because they contained confidential and proprietary information.  So far, so good.  But here comes the problem.  When the company changed its IT servers, certain security settings were not correctly transferred from the old server to the new, and a file whose access was previously restricted to the president and network administrator was now accessible to employees.  Unfortunately, this mistake was not discovered by the company until after a particular employee, who was leaving the company to work for a competitor, accessed and copied confidential information from the file just prior to leaving Tank Connection. When the mistake was ultimately discovered, Tank Connection took legal action to recover the information from the now former employee.  The company claimed that notwithstanding the mistake with the IT server, the employee accessed the information without authorization and essentially “stole” it from the company.  But the court ultimately rejected this claim, reasoning:  “The problem with Tank Connection's argument that [the employee] exceeded his authorized access is that it is premised upon a restriction that was supposed to be incorporated into its network settings, but which in fact was not. . . .  The fact that Tank Connection inadvertently provided [this employee] with access to the folder did not restrict or limit his authority.  Nor does the fact that [the employee] apparently accessed these folders for purposes contrary to Tank Connection’s interests amount to evidence that he exceeded ‘authorized access.’” In other words, despite Tank Connection’s intent to maintain confidentiality of the file, the inadvertent mistake that occurred with the IT server resulted in the company failing to properly protect the confidential information and exposing it to potential disclosure and misuse. An important lesson should be learned from the Tank Connection, LLC case -- actions speak louder than intentions with regard to maintaining confidentiality.  Even an employer’s best intentions to protect the confidentiality of employee information can go awry and will be rendered meaningless if the employer’s actions do not actually safeguard the information at issue.  To ensure that intentions match actions, employers should regularly audit their information security protocols, including all security measures in effect on their IT systems to protect confidential employee information kept in electronic form, to ensure the continued functionality of such measures and make sure that what they think is in place actually is.

Issues to Consider When Using Biometric Scanners to Track Attendance

December 7, 2015

By Hilary L. Moreira
Many employers now track employee attendance by using biometric scanners that require an employee to clock in and out by scanning a fingerprint or a palmprint.  Such scanners have largely replaced paper timesheets and have made managing employee attendance more accurate and efficient.  However, employees sometimes express privacy concerns when asked to provide such data.  Many employees are concerned about what an employer may do with the gathered information or whether the information could be hacked by an outside individual. Recently, an employee was awarded a judgment of $586,860 (including back pay, front pay, and compensatory damages) after his employer forced him to retire due to his refusal to use the biometric hand scanner that the company installed to track attendance.  The employee, who was an Evangelical Christian, had informed his employer that using the hand scanner violated his sincerely held religious beliefs because it could potentially be used to create an identifier for followers of the antichrist known as “The Mark of the Beast.”  While this is an extreme example, many employees have expressed fears that their biometric data may be improperly used in the future. New York employers should be aware that New York State has one of the few statutes that limits the collection of biometric data.  New York Labor Law Section 201-a prohibits employers from requiring the fingerprinting of employees as a condition of obtaining or continuing employment.  There are limited exceptions to this restriction.  For example, the New York State Department of Labor has taken the position that voluntary fingerprinting is permissible.  Additionally, Section 201-a does not apply to state or municipal employees, workers at medical institutions, many school employees, or to other employees who are subject to fingerprinting by law or regulation.  Aside from these exceptions, however, many New York employers may be limited to the use of hand scanners or the more expensive iris scanning equipment, rather than a device that requires an employee’s fingerprint. As an alternative to biometric scanners that require an employee’s fingerprint, some employers have installed devices that use a finger geometry “scan” rather than an actual “fingerprint.”  This technology scans a user’s finger and identifies an individual’s finger “geometry” by measuring its length, width, thickness, and surface area, and disregards surface details, such as fingerprints, lines, and scars.  Those measurements are often converted into a mathematical algorithm that are then stored in the attendance scanners.  Because a fingerprint is not taken, Section 201-a is not implicated.  Once employees understand that their actual fingerprints are not being taken or kept by their employers, their privacy concerns generally dissipate. In addition to potential Section 201-a issues, employers should also be aware that they may have a duty to bargain with a union before requiring the use of such biometric devices pursuant to the National Labor Relations Act or the Taylor Law. Employers who are considering implementing a biometric scanner system to track attendance should:  (1) communicate with employees prior to introducing the biometric system, so that all employees will understand exactly how the technology is used; and (2) distribute a clear employer policy.  Often, employee privacy concerns are based on misinformation that can be alleviated by taking these two simple steps.

The Use of Social Media During the Hiring Process: Do the Benefits Outweigh the Risks?

April 13, 2015

As the social media phenomenon continues to dominate our culture and its use has become second-nature, it is worthwhile to revisit some of the issues presented by an employer's use of social media, particularly in the context of hiring. Social media presents a unique workplace conundrum.  On one hand, employees generally believe that their use of social media outside of work is none of their employer’s business.  However, employers need to make employment decisions based on the best available information, which sometimes includes information an employee or potential employee shares on social media.  In the context of hiring, a candidate’s social media page can provide invaluable insight into the candidate’s character.  Generally, people tend to be much more candid on social media than they would be during a job interview, and, as the saying goes, “a picture is worth a thousand words.” While there are currently no laws prohibiting New York employers from accessing an applicant’s social media information during the hiring process, there are potential legal pitfalls depending on how a candidate’s social media information is accessed, what information is obtained, and what information is considered when making a hiring decision.  Social media sites contain a lot of information that employers are legally prohibited from considering during the hiring process (e.g., age, sexual orientation, race, religion, ethnicity, etc.).  Simply possessing this type of knowledge about a candidate could ruin an otherwise well-based decision not to hire an individual, because it could create an inference that this information was part of the basis for the decision.  Thus, employers that use social media as a hiring tool must exercise caution and take the appropriate steps to address these concerns. At the outset, an employer should determine whether a social media search will be conducted as part of the hiring process, and if so, develop a policy regarding the use of social media in hiring.  The policy should address what positions the search will be used for, the scope of the search, and when the search will occur, which is ideally later in the process to limit the number of candidates who are affected.  The policy should also clearly identify what information will not be looked at or considered (i.e., protected characteristics), and what will be reported to those involved in hiring.  Employers must ensure that this policy is distributed and communicated to hiring managers, and that they understand the purpose of the policy.  As with any other policy, it is important that it is followed and applied consistently. With respect to implementation of the policy, it is imperative that direct hiring managers do not access social media as part of the hiring process.  A non-decision-maker should conduct the search and report only relevant, non-protected information to the decision-maker.  To ensure this process is effective, the non-decision-maker conducting the search must understand what information the employer is legally prohibited from using when making a hiring decision. An employer should never access any site that they have not been authorized to access, nor should employers require a candidate to provide them with access to their personal social media accounts.  As reported in our April 28, 2012 blog post, legislation was introduced in the New York State Senate that was intended to prohibit employers from failing to hire an applicant based on his/her refusal to provide login information to the employer.  Although this bill has not been passed, it is still the best practice to refrain from requiring candidates to provide access to their social media accounts as part of the application process, or as a condition of an offer of employment.  In fact, multistate employers should be aware that at least 18 states, including Arkansas, California, Colorado, Delaware, Illinois, Louisiana, Maryland, Michigan, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Vermont, and Washington, have enacted legislation regulating an employer’s social media activity, most of which contain prohibitions against requiring applicants or employees to provide the employer with his/her personal login information.  Further, employers should not falsify information or impersonate an individual to gain access to the page.  In other words, an employer must not ask an employee who is “friends” with a candidate to access his/her page.  As a rule of thumb, only view information that is open to the public. Employers should attempt to verify information before relying on it.  Employers should also document and retain the information obtained in the search, including the search criteria and the information considered as a basis for their hiring decisions.