Privacy and Employer-Owned Materials

August 3rd, 2009

I have probably generated 500 standard-form employee confidentiality/inventions agreements, and a good number of employee manuals, all of which say that basically anything an employee does on work time with employer-owned equipment (computers) belongs to the employer.

It is very useful to see the limits of these policies. A recent case from the New Jersey Appellate Division has some useful guidelines.  Here is my summary of the helpful considerations in under 500 words.

Case Facts
The CEO of a company got into a dispute with her employer.  The employer took back its computer when the CEO quit and found on it cached copies of emails the CEO had sent to her attorney from her personal Yahoo account.

The employer said that the emails belonged to it since *everything* on the computer belonged to it pursuant to the employer’s policies.  The CEO said that purely personal matters fell outside the scope of the policy.

Court Ruling
The appeals court said that it is not enough for a company to say it owns everything done on its computers- there has to be a need to reach out and take ownership of entirely personal matters.  Based on that, the court held that the emails were not the property of the employer and the employer had no right to hold and use them.

Useful Concepts
None of this is strictly relevant outside of New Jersey, of course, but the case brings up a few interesting ideas:

1) Personal vs. work email.  The CEO did not use her work email account to communicate with her lawyer.  This was an important point in establishing the CEO’s expectation that her emails would remain private.

2)  The court likens the employer’s actions to rifling “a folder containing an employee’s private papers” or examining “the contents of an employee’s pockets”.  To me, this is the most important point.  An employer can certainly *review* an employee’s file folders, but if it finds purely personal items it is obligated to return those to the employee.  Computers are no different- people may store personal information on them.  Employers need to be aware that they are not entitled to review or use these simply because the employer owns the computer.

Tags: ,
  • Comments Off on Privacy and Employer-Owned Materials

Someone Actually Fired over Facebook Photos

November 7th, 2008

I regularly hear people worry about the lack of privacy on social networks, that notes or photos posted for a group of friends are not private and that sooner or later someone was going to lose a job over it.

Until today I had never actually heard of it happening.  Former New England Patriots cheerleader Caitlin Davis was fired this week for photos posted on her Facebook page.

The photos show her and a friend using markers to graffiti a passed-out-drunk person at a party.  The graffiti apparently included the words “penis”, “I’m a Jew” and a pair of swastikas.

Davis’s conduct is obviously offensive and inappropriate.  It is remarkable that she would compound that stupidity both by allowing photos of the activity to be taken, and then letting them be posted to her Facebook profile- or anywhere else.

The only positive element in this whole story is that I now have a very memorable example to offer people of how not to behave online.  There is no privacy on social networks.  End of story.

[N.B. I haven’t spent a whole lot of time reviewing this story. From what I can tell no one has accused Davis of writing anti-Semitic graffiti, just of being dumb enough to associate herself with it. Either way, it was enough to get her fired.  Lesson learned, I hope. ]

Tags: ,

Do I Really Need a Metadata Scrubber?

February 27th, 2008

The California Bar Journal, a monthly newspaper for attorneys, had a recent update on laws regarding metadata, how to avoid disclosing it inadvertently to opposing sides in litigation, and what to do if someone sends you a document containing inadvertent disclosures.

There are a couple of items in it that might be surprising. Among these is that the California Supreme Court recently opined that if a lawyer receives a document from the opposite side and realizes that the document contains information in the metadata that could be detrimental, the lawyer has a duty to notify the other side of the disclosure.

The trick is that metadata is so pernicious that it’s almost impossible to get rid of without third-party tools. I once had a client that was the victim of “business plan theft”- someone else literally took the company’s business plan, changed the names and used it as its own. This was made crystal clear by the fact that the bottom of the plan had a Mail To hyperlink field. The thieves had typed a new address over my client’s text, but the hyperlink itself was unchanged. If one hovered over the link my client’s email address was still visible.

The more prosaic “forgot to removed tracked changes history” is an even easier way to reveal one’s intra-company discussions as well.

So the question is “who needs to scrub metadata”?

State and local Bar association opinions offer a pretty good answer. Lawyer conduct in litigation settings is highly regulated, and yet the bar associations are profoundly split on how to handle metadata. Some say that a lawyer needs to stop reading as soon as s/he finds confidential information (metadata) inadvertently disclosed, some say the lawyer need only notify the sender of the disclosure, and some say that the burden lies on the sender- leaving the recipient free to view, use and even actively mine metadata.

Taking this as a starting point, the clear answer is that once information has been disclosed it is in the open- at least in the vast majority of cases. So yes, if there is information to protect metadata scrubbers are valuable.

Microsoft has a tool called “Document Inspector” in Word, Excel and Power Point 2007 (not available in Mac Office 2008) that will make sure tracked changes are all removed from a document. Saving a document to pdf will have the same effect. I am told that third party tools such as Metadata Assistant and Workshare Protect do a more thorough job of identifying and removing undesired metadata, though I have not tried either of these products.

Most companies have good storage and backup policies to make sure data isn’t stolen lost in case of a catastrophic event. Metadata disclosure is probably more likely on a week-to-week basis (how many redlined documents do you work with regularly?) but gets less attention. As with most security measures, it probaby isn’t necessary in 99.99% of cases, but the 0.01% can be a killer.

Tags: ,