Misuse of Technology & Preventive Strategies

From: Staffing

Misuse of Technology & Preventive Strategies

Technology is a workplace necessity that unfortunately leads to employer liability for employees’ misuse under the theories of respondeat superior (vicarious liability) and negligence.

Respondeat Superior (Vicarious Liability)

An employer may be held vicariously liable for the actions of its employees within the scope of employment under the doctrine of respondeat superior. Although the standard for determining scope of employment varies from jurisdiction to jurisdiction, courts most commonly find that conduct is within the scope of employment if all of the following apply:

  • The actions taken were the type of conduct the employee was hired to perform.
  • The actions took place substantially within the time and limits of the employment (for example, during working hours, at the location where the employee was required to be, performing the expected workplace tasks).
  • The actions were taken at least partly for the benefit of the employer.
  • If the actions were intentional, the harm was foreseeable to the employer.

Courts may consider the following factors to determine the scope of employment:

  • The employee’s job description or assigned duties.
  • The time, place, and purpose of the employee’s act.
  • The extent to which the employee’s actions conformed to what the employee was hired to do.
  • Whether the conduct by the employee was reasonably foreseeable.

Negligence

Under the theory of negligence, an employer may be held liable for the acts of its employees when the employer fails to use ordinary care. For instance, an employer commits negligence when:

  • The employer does not exercise the amount of care that a reasonably careful person would use under the circumstances.
  • The employer does something that a reasonably careful person would not do under the circumstances.

Unlike respondeat superior, an injured party can bring an action in negligence against an employer even if the employee’s conduct is outside the scope of employment and there is no connection between the negligent conduct and the employment.

Negligent Retention and Supervision

The most common types of negligence claims involving the misuse of employer technology are negligent retention and supervision claims. In a typical negligent retention or supervision action, an injured party must establish that an employer knew or should have known of a serious problem with an employee’s fitness or competence and that the employer’s failure to take action (such as discipline, reassignment, or termination) was the proximate cause for the plaintiff’s injury. Proximate cause is the foreseeability of the plaintiff’s injury related to the employer’s failure to act. In other words, the employer is not liable merely because its employee is unfit or incompetent. Rather, an employer’s duty of care to third parties arises only when the risk of harm from an employee is reasonably foreseeable. Courts have held that a duty of care arises only when the employer knows, or should have known, facts that would warn a reasonable person that the employee presents an undue risk of harm to third parties in light of the work to be performed.

Cloud Computing and Trade Secrets

A more recent threat to data safety, cloud computing/storage requires a level of security different from previous storage options for confidential information. Information stored in the cloud has the potential to be accessible to anyone with access to the Internet, and from anywhere in the world. While hackers do pose a threat to daily business operations upsets and security breaches, third-party providers of cloud services as well as company employees pose the biggest threats. Thus, organizations must take steps to limit access to company information stored in the clouds, as well as have systems in place to minimize risk.

The American Bar Association suggests that employers implement the following safeguards for safety of cloud-stored information:

  • Limit employee access to trade secret files to those with a need-to-know basis.
  • Limit access to cloud-based solutions on company computers and prohibit any use of personal cloud solutions for company materials.
  • Monitor when files are accessed or downloaded, and by whom.
  • Require employees to sign nondisclosure agreements.
  • Conduct exit interviews.
  • Collect and secure computers used by terminated employees.
  • Label or name files containing trade secrets as “confidential” or “trade secret.”

To minimize the risk of losing trade-secret protection because of unauthorized use or disclosure, consider taking the following steps:

  • Immediately remove any trade-secret information from the cloud and make efforts to investigate the source of the information leak.
  • Send cease-and-desist letters or initiate litigation against the offending party.
  • Enforce known violations of confidentiality agreements or nondisclosure agreements.

Potential Claims Against Employers

Potential actions brought against employers for misuse of technology fall into two categories:

  • Claims by employees, clients, or third parties alleging damages caused by the misuse of the employer’s technology by an employee(s). For example:
    • Sexual harassment and discrimination.
    • Copyright infringement.
    • Misappropriation of trade secrets.
    • Defamation.
  • Claims by employees alleging the employer’s abuse of the employer’s technology. For example:
    • Invasion of privacy.
    • Violations of the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act.

Sexual Harassment and Discrimination

Sexual harassment and discrimination claims may be brought against employers based on the misuse of technology in the workplace; the most common of such claims is hostile work environment. Hostile work environment caused by sexual harassment occurs when unwelcome sexual conduct unreasonably interferes with an individual’s job performance or creates a hostile, intimidating, or offensive work environment. The following examples illustrate how a hostile work environment, sexual harassment claim might arise.

Example 1: Anthony is employed at ABC Company. Anthony routinely receives sexually explicit jokes and pictures via email and text message on his company provided phone and laptop. Thinking that the jokes and pictures are funny, he routinely forwards them to co-workers. The jokes are inadvertently forwarded to Kristen, a female co-worker, who finds them offensive.

Example 1: During her lunch hour, Alice likes to sit at her work computer and download and view sexually explicit images. Co-workers routinely have to pass by Alice’s desk and often see the images, which make them uncomfortable.

In each of these cases the employer will be liable if it:

  • Knew or reasonably should have known about the harassment.
  • Failed to take immediate and appropriate action.

The employer does not have to have actual knowledge of the harassment. Under certain circumstances, an employer may be deemed to have “constructive knowledge” of the harassment, for example:

  • Where the harassment is openly practiced or well known among employees.
  • Where a complaint has been filed.

An employer may also be liable for the creation of a hostile environment by employees, customers, or even independent contractors if the employer has knowledge of such harassment and fails to take appropriate corrective action.

Copyright Infringement

While the use of workplace technology has vastly increased our ability to duplicate, manipulate, share, and transfer digital information, it has also left employers vulnerable to claims of copyright infringement. There are two main theories of employer liability for copyright infringement:

  • Contributory infringement.
  • Vicarious infringement.

Under contributory infringement, an employer may be liable where it:

  • Knew, or had reason to know, about the copyright infringement.
  • Induced, caused, or materially contributed to the violation.

The “knowing” requirement may be satisfied where the employer was not actually aware of the infringement, but did possess the means to prevent or discourage the infringement.

Under vicarious infringement, an employer may be held liable for copyright infringement where it:

  • Has the right and ability to control the infringer’s act.
  • Receives a direct, financial benefit from the wrongful acts.

Knowledge of the infringement is not an element of vicarious infringement liability, unlike contributory infringement.

Example: ABC Corp. provides computers and high-speed Internet access to employees for business purposes. ABC supervisors have become aware that some employees have installed and used free file-sharing software on company computers to share copyright materials (music, software) online. ABC Corp. has not taken any corrective action regarding the situation.

In this example, the employer may be liable under the contributory infringement theory because it knew employees were using company resources (computers and Internet access) to perform the infringing activity and failed to take corrective action. Whether the employer could be held liable under the vicarious infringement theory would depend on whether the employer received a direct financial benefit from the infringement.

Misappropriation of Trade Secrets

Another claim based on the misuse of technology is the misappropriation of trade secrets. According to the Uniform Trade Secrets Act (UTSA), a trade secret is information that derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. The act goes on to define misappropriation of trade secrets as:

  • Acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means.
  • Disclosure or use of a trade secret of another without express or implied consent by a person who:
    • Used improper means to acquire knowledge of the trade secret.
    • At the time of disclosure or use, knew or had reason to know that the knowledge of the trade secret was:
      • Derived from or through a person who utilized improper means to acquire it.
      • Acquired under circumstances giving rise to a duty to maintain its secrecy or limit its use.
      • Derived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use.
    • Before a material change of the person’s position, knew or had reason to know that it was a trade secret and that knowledge of it had been acquired by accident or mistake.

The majority of states have trade secret laws adopted from the UTSA, and in most states a claim for misappropriation of trade secrets requires a showing of the following:

  • The information taken incorporates a trade secret.
  • The injured party took reasonable steps to maintain the secrecy of the trade secret.
  • The defendant misappropriated the secret or used improper means, in breach of a confidential relationship, to acquire the trade secret.

Trade secret misappropriation can arise in a wide variety of circumstances. A simple example would be a disgruntled employee copying client lists and marketing information to an external drive or exporting to a cloud service and then taking that information and using it with a new employer. Sometimes the misappropriation may involve other criminal conduct; for example, an employee may misappropriate trade secrets by hacking a competitor’s computer or network.

Defamation

Employers face a growing threat of defamation claims with the widespread personal use of company email, the dominance of social networking sites, and publicly posted reviews and blogs. An employer’s reputation can be quickly and easily damaged through the use of social media and networking.

Defamation is an untrue statement made by a person to another that injures the reputation of a third party. Libel is written defamation and slander is spoken defamation. In the context of employer technology, most defamation constitutes libel.

To state a claim for defamation an injured party generally must prove:

  • The defendant published a false and defamatory statement concerning the plaintiff.
  • The plaintiff suffered damages as a result of the publication.

In regards to the publication requirement, publication is the act of making the statement known to someone other than the person being injured by the defamation. From a technological perspective, publication can occur when a person posts something on a social networking site or blog, makes a podcast, posts a review, sends an email, etc. Employers must be aware that they may be held vicariously liable for an employee’s defamatory statements on a social networking site or blog where the subject of the statement falls within the scope of the employee’s employment or within the employee’s actual or apparent authority. For instance, cyberlibel is essential defamation where the material is posted on the Internet.

Employers should also note that they may be sued for defamation for circumstances surrounding an employee’s termination. For example, in Noonan v. Staples, Inc., 707 F. Supp. 2d, 85, Staples was sued for defamation after the company sent a mass email to about 1,500 employees stating that a named manager had been terminated for violating the company’s travel and expenses policy (defamation through oral communication). While Staples eventually won the suit on appeal, it represented an avoidable expense for the company.

Invasion of Privacy

The widespread necessity of technology in the workplace has intensified the conflict between employees’ privacy rights and the competing right of employers to oversee the workplace. Employers need to understand how the use of new technology may lead to invasion of privacy claims. For instance, invasion of privacy claims are generally broken down into four categories:

  • Intrusion.
  • Publication of private facts.
  • False light.
  • Appropriation of name or likeness.

Intrusion

Intrusion claims (also known as intrusion into the solitude or seclusion of another or tortious invasion of privacy) are based upon allegations that a person’s conduct intruded into another’s reasonably expected sphere of privacy. In regards to workplace technology, intrusion claims most often relate to electronic monitoring of employees (email, voice mail, and Internet use).

In most states, to bring a successful intrusion claim, an aggrieved party must establish:

  • That the defendant, without authorization, intentionally invaded the private affairs of the plaintiff.
  • That invasion was offensive to a reasonable person.
  • That the intrusion involved a private matter.
  • The intrusion caused damages to the plaintiff (mental anguish or suffering).

In addressing these elements, courts have attempted to balance the employee’s reasonable expectation of privacy against the employer’s business interest in monitoring. In regards to an employee’s expectation of privacy, the courts have generally held that an employee has no reasonable expectation of privacy where the employer put the employee on notice of the monitoring or the employee has consented to the monitoring. In addition, courts have held that employers have a strong business interest in monitoring employees. These interests can include:

  • Measuring employee productivity.
  • Maintaining confidentiality.
  • Protecting trade secrets.
  • Preventing inappropriate and unprofessional conduct.
  • Preventing misuse of the employer’s property.

As a result, except for the most egregious invasions, common law intrusion claims are generally unsuccessful.

Public Publication of Private Facts

Public publication of private facts is generally defined as the publication of matters concerning the private life of another that would be highly offensive to a reasonable person of ordinary sensibilities and is not of legitimate concern to the public.

To bring a successful claim for public publication of private facts, a person must generally establish that the defendant disclosed a private fact. Private facts are intimate details of a person’s private life that are not generally known. Private facts may include:

  • Social Security numbers.
  • Medical history.
  • Sexual orientation.
  • Economic or financial status.

A prime example of public publication of private facts occurred to Aon Consulting, the state of Delaware’s benefits consultant that accidently posted the personal information of about 22,000 retirees online, including Social Security numbers, gender, and dates of birth.

False Light

Generally, false light invasion of privacy occurs when information about a person that is false or places the person in a false or misleading light is widely published, highly offensive to a reasonable person, and published with reckless disregard as to its offensiveness. False light includes embellishment (adding false material to a story to place someone in a false light), distortion (the arrangement of materials or photographs to give a false impression) and fictionalization (works of fiction containing disguised characters that represent real people or references to real people in fictitious articles).

The elements of a false light claim vary greatly in those jurisdictions in which it is recognized. Generally, these elements include:

  • A publication by the defendant about the plaintiff:
    • That is made with actual malice.
    • Which places the plaintiff in a false light.
    • That would be highly offensive to a reasonable person.

False light claims are very similar to defamation claims and the two are often brought together.

Appropriation of Name or Likeness

Appropriation of name or likeness invasion of privacy occurs when an individual’s name or likeness is used to promote a product or service without the individual’s consent.

To establish a claim for misappropriation of name or likeness, a plaintiff must generally establish that the defendant:

  • Used an aspect of the plaintiff’s identity that is protected by law (name or likeness).
  • Used the name, likeness, or other personal attributes for commercial or other exploitative purposes.
  • Did not have permission for the offending use.

Misappropriation of an individual’s name or likeness in regard to technology may occur when an employer uses an individual’s name or likeness in a company’s online marketing materials without the employee’s prior consent.

Electronic Communications Privacy Act

While courts have generally sided with employers with regard to intrusion claims, employers should recognize that federal and state laws may affect their ability to monitor employees. The federal Electronic Communications Privacy Act (ECPA) makes it unlawful to intercept messages in transmission or access stored information on electronic communication services or disclose any of this information. Although the ECPA does not expressly mention email, the courts have interpreted “electronic communications” to include emails. The ECPA does not guarantee an employee’s right to email privacy in the workplace, and there are three specific instances when an employee’s protection under the ECPA does not apply:

  • The Consent Exception (18 U.S.C. § 2511(2)(d)): Interception of an electronic communication is not unlawful if the intercepting person is a party to the communication, or if one of the parties involved in the communication consents. The only exception to this is if the purpose of intercepting the communication is to use it to commit a crime or tort. If an employer asks employees to sign an employment agreement stating that their electronic communications will be monitored, the agreement will nullify the protection of the ECPA.
  • The Provider Exception (18 U.S.C. § 2511(2)(a)(i)): Allows an officer, employee, or agent of a provider of wire or electronic communication service, whose equipment is used in the transmission of an electronic communication, to intercept, disclose, or use that communication in the normal course of employment if that person is involved in an activity that impacts upon the normal course of operations or upon the protection of their property rights. This means that intercepting emails to conduct quality checks is permissible as is intercepting them if the employer believes an employee is stealing by sending personal emails during compensable working hours.
  • The Business Extension Exception (18 U.S.C. § 2510(5)(a)) which also covers interception during the ordinary course of business and is akin to the provider exception.

Subsequent to these exemptions, employers are justified in intercepting email messages for a legitimate business purpose. However, if the business takes physical action to protect the privacy of email by installing a system that allows messages to be marked as confidential or by using passwords, or if the business tells employees that their email is private, the employer’s right to intercept may be considered voided unless one of the aforementioned exceptions is proven. In determining whether an employee’s privacy has been violated courts will weigh the reasonableness of the employee’s expectation of privacy against the business interest of the employer in monitoring the communication. However, courts have traditionally held that legitimate business interests permit employers to intercept communications.

Computer Fraud and Abuse Act

The federal Computer Fraud and Abuse Act (CFAA), located at 18 U.S.C. § 1030, creates liability for intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining information from any protected computer. In the workplace, the CFAA allows an employer to bring a civil action against an employee who accesses its computers without authorization or in a manner that exceeds authorized access (for non-company purposes) including gathering information to help a new or prospective employer. Although the CFAA is primarily a criminal statute designed to combat hacking, employers often bring claims under the CFAA when a disloyal employee (typically, an employee who has accepted employment with a competitor) downloads or emails confidential information for the benefit of the employer’s competitor.

The CFAA’s civil suit provision, which allows any person who suffers damage or loss by reason of a violation of the act to bring a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief, may only be brought if the conduct involves one of the following factors:

  • Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
  • Physical injury to any person.
  • A threat to public health or safety.
  • Damage affecting a computer used by or for an entity of the U.S. government in furtherance of the administration of justice, national defense, or national security.
  • Damage affecting 10 or more protected computers during any one-year period.

Note: Damages for a violation involving only the loss to one or more persons during any one-year period aggregating at least $5,000 in value are limited to economic damages.

However, no action may be brought:

  • Unless such action commences within two years of the date of the act complained of or the date of the discovery of the damage.
  • For the negligent design or manufacture of computer hardware, computer software, or firmware.

Importantly, in a Fourth Circuit case, WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, the court held that a disloyal employee’s violation of a computer use policy, no matter how outrageous, would not support a CFAA claim if the employee was authorized to access the data at the time that the data was downloaded or the information was retrieved. In so holding, the court noted that the CFAA is primarily a criminal statute and that courts must construe criminal statutes strictly. The court further stated that Congress did not intend to subject employees who violate their employers’ computer use policies to criminal penalties.

Subsequent to this holding, an employer who wishes to retain the ability to bring a CFAA claim in the disloyal employee context must initially deny access to its trade secrets, or withdraw that authorization before the employee accesses the data. Additionally, where the employee downloads information to which the employee was permitted access and then misuses that data to benefit a competitor, the employer will not have recourse to a CFAA claim and should focus on state law claims.

Preventive Strategies

The best strategy an employer can take to prevent the misuse of employer technology is to formulate a comprehensive workplace technology policy that addresses the concerns outlined above. However, it is not enough that an employer simply have a policy, the employer must implement and consistently enforce that policy. However, before implementing any policy, employers should seek counsel regarding the application of state and federal laws and any applicable court decisions.

Use of Employer Technology

A comprehensive workplace technology policy should include a statement clearly describing how the employer’s technology may be used. An employer that wants its technology used strictly for business purposes should clearly express that limitation in its policy. On the other hand, if the employer allows incidental personal use of its technology, it should clearly set out the parameters of such use. Consistent enforcement of any policy is essential for its effectiveness.

The employer should provide a list of acceptable and unacceptable uses under its policy. This list may be categorized by technology type or may simply be a bulleted list. For example:

Pursuant to ABC Corporation’s workplace technology policy, unacceptable use of employer technology by employees includes, but is not limited to, the following uses:

  • Downloading or viewing pornographic or illegal material.
  • Downloading, copying, and/or sharing copyrighted materials (such as software, music, and movies).
  • Gaining unauthorized access to any computer, computer network, or website.
  • Sending or posting discriminatory, harassing, or threatening messages or images via Internet, email, or text message.
  • Sending or posting information via Internet, email, or text message that is defamatory to the company, employees, and/or customers.
  • Downloading, uploading, or installing unauthorized software or malicious code.
  • Internet gambling.

Finally, the policy should contain a statement that employees who misuse employer resources may be subject to discipline, up to and including immediate termination and, where appropriate, civil and/or criminal liability. Employers may consider making the technology usage policy a pop-up message that appears on-screen each time employees log onto their computers.

Employee Monitoring

Employee monitoring may be accomplished in a number of different ways and will vary based on the employer’s financial resources. For example, some large companies hire outside contractors to implement software that monitors all employee emails and Internet usage. This software may include:

  • An email screening program that allows the employer to search emails and text messages for words, images, or content.
  • Keystroke monitoring and computer idle time.
  • An Internet filter that blocks access to restricted sites (for example, pornography, gambling, etc.)
  • A program that searches through employee Internet history looking for inappropriate sites or downloaded images.
  • A program that takes random screenshots of employee computer desktops.

On the other hand, a small employer may be limited to having one employee who randomly reviews a selection of emails once a month.

The courts have generally held that such monitoring is legal so long as the employer establishes an appropriate policy and effectively communicates it to employees prior to implementation or at the time of hire. An essential element of any policy is the assertion that employees should have no expectation of privacy in regard to the use of the employer’s technology. For example:

Employees should have no expectation of privacy in any technology provided by the employer, including, but not limited to: computer files, emails, Internet use, text messages, voice mail messages, or business telephone conversations on company equipment; and that these may be recorded, monitored, or examined at the employer’s discretion.

In addition, the employer should adopt a mechanism by which employees acknowledge and accept the terms of the policy. However, analysis and application of state law must also be included in any workplace monitoring. Additionally, union contracts may limit the employer’s right to monitor.

Copyrighted Materials

In light of the widespread availability of technology that allows employees to easily duplicate copyrighted materials, employers should promulgate a copyright compliance policy. The policy should explain the proper use of the employer’s technology, instruct employees on permissible conduct under copyright law, and provide examples. Prohibited conduct may include:

  • The use or installation of file sharing software unless used by the employer for business purposes.
  • The downloading, copying, or exporting of music, movies, or other copyrighted materials (books, clip art, etc.) from the Internet.
  • The copying of or exporting of employer provided software by employees.
  • The copying of employee movies or music on employer provided resources.

Blogging

To help protect from claims of defamation and dissemination of confidential information and to avoid the misappropriation of trade secrets, employers should have a policy on blogging. At the minimum, this policy should include provisions that:

  • Blogging is prohibited on employer provided resources (computers, network, smartphones, etc.).
  • For employees hosting a private blog:
    • The views expressed on the blog are the employee’s and do not represent the views of the employer.
    • The employee will not reveal:
      • Any information deemed confidential by the employer or federal or state law.
      • Any trade secrets or other proprietary information.
    • Statements made about the company, employees, clients, customers, and competitors must be respectful.

Employers should note that blogging policies are more general than other types of employer policies. The main purpose of a blogging policy is to put employees on notice of the standards of conduct that apply to blog postings. Employers that create a blogging policy that overly restricts employees’ speech may run afoul of employees’ free speech rights and federal and state whistleblower and antiretaliation provisions (i.e, Fair Labor Standards Act (FLSA), Sarbanes-Oxley, and Title VII). In addition, the National Labor Relations Act (NLRA) and similar state statutes prohibit employers from disciplining employees for discussing wages, hours, or other terms and conditions of employment (for instance, urging employees to complain about a particular employment practice).

Note: Prior to disciplining an employee for violation of a blogging policy, employers should consult counsel to ascertain whether such actions are lawful.

Trade Secrets and Confidential Information

To protect company trade secrets and prevent the dissemination of confidential information, employers should adopt a trade secret/confidential information protection policy. This policy should include:

  • A statement that employees are responsible for protecting the company’s confidential information, including trade secrets, from unauthorized disclosure.
  • A definition and description of trade secrets and/or confidential information.
  • Security measures for limiting and controlling access to confidential information (passwords, information classifications, control cards, etc.).
  • Procedures for identifying, handling, and communicating confidential information.
  • Procedures for conducting exit interviews and ensuring that terminated employees return all company documents and electronic data.
  • Requiring employees to sign nondisclosure and noncompetition agreements, where appropriate.
  • Conducting periodic training of employees.