Evolving Employee Rights in the Age of Web 2.0

Morgan Lewis presented and informative webcast on Web 2.0 from the viewpoint of the company/employee perspective. These are my notes.

Panelists:

Companies cannot limit the personal use of these sites. But the line between personal and professional can be very fuzzy. You limit access over the company’s network, but employees have easy access from mobile phones and home computers.

They cited Deloitte’s 2009 Ethics & Workplace Survey Examines the Reputational Risk Implications of Social Networks to point out the need of company’s to address social media.

One issues is the reasonable expectation of privacy. This is even more complicated given that the data is in the internet cloud and not the company’s hardware or storage. Most (if not all) of your Web 2.0 data resides in the cloud, not your hard drive or network storage that you control.

Personal Use of Mobile Devices

The first issue with privacy is the use of mobile devices. Its hard to prevent ALL personal use of a company supplied device, especially a mobile device. Even if you ban personal use of the device, it is hard to monitor and hard to enforce. Would you really discipline an employee who made a personal phone call on their blackberry? You need a clear policy that is enforceable. You also need to set reasonable expectations of privacy.

This is exactly the issue addressed in the Quon case, recently argued at the Supreme Court. The panel spent some time discussing the Quon case and some lessons that may be coming out of this case. There are some lessons to be learned from this case, even though the decision may be limited to government workplaces.

The additional complication is that the company (in this case the government) pulled the personal information from a third-party service provider. That implicated the Electronic Communications Privacy Act

Personal Email

They also took a close look at the . That was more focused on the use of personal email and attorney-client privilege. There are some interesting attacks on that company’s computer use policy.

They raised the Convertino v. U.S. Department of Justice (674 F. Supp 2d 97 (D.D.C. 2009). The DOJ found email between an Assistant Attorney General and his personal attorney. He had used a DOJ email account. He deleted the email, but didn’t realize that a deleted copy would be kept. He deleted the emails immediately after they were sent or received.  The court used a similar test as that used in Stengart court to look at the employee’s expectation of privacy. DOJ did not ban personal email on the company system.

The take away is that employees should inform employees that they have no reasonable expectation of privacy in any technology provided by the company. (It is probably too hard to monitor and enforce a complete ban on personal use.) You should also let them know that back-up copies may exist even if the employee deletes a copy.

Proposed Internet/Email Policy

Here are some items they propose :

  • Limit personal use of the company email system.
  • Inform employees they have no reasonable expectation of privacy in any technology provided by the company (e.g., email, Internet, laptop, PDA).
  • All information forwarded or received via the company email system is subject to monitoring and may be stored.
  • All information sent, received or viewed on the Internet, including personal, web-based communications, instant messages, text messages or other forms of communication, can be stored on a computer’s hard drive, the company’s servers, etc. and can be reviewed and retrieved by the company at any time.
  • Back-up copies of electronic communications may exist, even if “deleted” from the computer.
  • Issue periodic reminders to employees that the computers they are working on do not belong to them, and that information accessed on the computers may be subject to inspection and collection.
  • Describe prohibited activities:
    • Disseminating confidential information;
    • Any actions that could be seen as harassing;
    • “Hacking” and related activities;
    • Tampering with or disabling security mechanisms on company computers;
    • Unauthorized downloads; and
    • Violations of copyright laws.
  • Enforce the policy and punish violators.
  • Obtain signed acknowledgements and post the policy.

HR using Web 2.0

There are special limitations for HR and hiring managers. You need to be careful when using social networking sites to find information about potential hires. Do not try to gain a view of someone’s online account through deception.

You should consider whether employees can give recommendations on sites like LinkedIn.

You can’t prohibit employees from discussing terms and conditions of employment. Such a ban would be a violation under the National Labor Relations Act.

FTC Guidelines and the Workplace

The FTC guidelines are also something to keep in mind. Your employees may be the biggest fans of your products. If an employee is talking about your company’s product, the employee needs to disclose they are an employee. Otherwise it could be consider a deceptive testimonial, creating potential liability for the employee and the company.

The FTC guidelines requires disclosure of a material connection between the blogger (commenter, Twitter-er, etc.) and the company. Employment is clearly a material connection. That means it needs to be clearly and conspicuously disclosed. (16 C.F.R. §255.5 ) The existence of a policy will consider the existence of a policy in deciding in whether to bring an enforcement action.

A company should make it clear that the policy is applicable across all communication platforms.

Should you search the internet for information on job applicants?

There are issues. Many people may argue that it is an invasion of privacy. Beyond the practical issues, there are legal issues such as discrimination and unlawful background checks.

You also need to be concerned that the information you find is applicable to that person. There are lots of people out there with similar names. (Even I am not unique: Another Doug Cornelius)

Are you liable for false statements made by your employees?

If the company sponsors the content, then yes the company can be held responsible. Even on a non-sponsored site, if the company does nothing then that could be viewed as assent and be held responsible.

Can you discipline an employee for using these site?

Not if they are complaining about their working environment to other employees. That is protected under the National Labor Relations Act.

If the activity is akin to whistle-blowing, then the activity could be protected under Sarbanes-Oxley or state statute.

A few states specifically protect off-duty, off-site conduct.

Can you prevent employees from saying bad things about the company?

An injunction acts as a prior restraint on speech. [See: Bynorg v. SL Green Realty Corp., 2005 WL 3497821 (S.D.N.Y. 2005)]

It  is easier to get damages for defamation and invasion of privacy. [See: Varian Medical Systems, Inc. v. Delfino]

If the blogger is anonymous, it’s harder to do. Particularly in California, you need to prove defamation before a court will grant a subpoena.

Protect your IP

You want to be careful about how employees are using your logo or other intellectual property on their own sites.

Materials

They posted a copy of the slidedeck from the presentation on their website if you want more detail: Presentation Slidedeck

In-House Counsel as Whistleblowers under SOX

whistleblower

Section 806 of the Sarbanes-Oxley Act (18 USC §1514A) expressly authorizes any “person” alleging discrimination based on protected conduct to file a complaint with the Secretary of Labor and, thereafter, to bring suit in an appropriate district court. There is no exception for lawyers or in-house counsel.

Recently, the Ninth Circuit tackled this issue in the case of Van Asdale v. International Game Technology.

Shawn and Lena Van Asdale were in-house counsel for IGT. As part of the merger of IGT with another company, the Van Asdales raised some issues regarding the validity of a valuable patent owned by IGT. They thought the patent issue should be disclosed in connection with the merger. Their bosses thought otherwise and fired them instead.The Van Asdales sued, asserting a whistleblower claim under the SOX because they were terminated for reporting possible shareholder fraud in connection with that merger.

What About Legal Ethics Restrictions?

IGT argued that the Van Asdales were prohibited from filing suit because of  their ethical obligations as Illinois-licensed attorneys. There is some Illinois law that “in-house counsel do not have a claim under the tort of retaliatory discharge.” Balla v. Gambro, Inc., 584 N.E. 2d 104 (Ill. 1991). However, this case is based on federal law, not Illinois law. So the court rejected that argument.

What About Attorney-Client Privilege?

The Van Asdale’s case is based on a conversation the two had with their boss regarding a pending litigation matter involving the company. To bring the case, they have to disclose information subject to the attorney-client privilege.

The Court looked at Section 806 of the Sarbanes-Oxley Act (18 USC §1514A) which expressly authorizes any “person” alleging discrimination based on protected conduct to file a complaint. Since there is no exception, in-house counsel should not be prevented from bringing a claim. There are ways to protect information. The trial court should “use the many ‘equitable measures at its disposal’ to minimize the possibility of harmful disclosures, not to dismiss the suit altogether.”

What About the Substance of the SOX Claim?

Beyond the attorney-client privilege in the case, there was also a disagreement of the standards for the claim under the whistleblower protections of SOX.

The plaintiffs only needed to show that they reasonably believed that there might have been fraud and were fired for suggesting further inquiry. Section 1514A prohibits discriminating  against an employee for “provid[ing] information . . . regarding any conduct which the employee reasonably believes constitutes a violation of” a listed law. So an employee “must have (1) a subjective belief that the conduct being reported violated a listed law, and (2) this belief must be objectively reasonable.”

References:

Image is by HughElectronic: Whistleblower. http://www.flickr.com/photos/hughelectronic/ / CC BY 2.0

FBAR Filing Deadline Extended (For Some)

IRS_Logo
The deadline for Foreign Bank Account Reporting was June 30. The Report of Foreign Bank and Financial Account is IRS TD F 90-22.1 (.pdf). Any United States person who has a financial interest in or signature authority, or other authority over any financial account in a foreign country, if the aggregate value of these accounts exceeds $10,000 at any time during the calendar year must file the report. An FBAR must be filed whether or not the foreign account generates any income.

Although FBAR requirement has been around for a few years, the IRS recently revised the filing requirements. It seems to have caught many people by surprise.The IRS had extended the FBAR Filing deadline to September 23 for taxpayers who reported and paid tax on all their 2008 taxable income, but only recently learned of their FBAR filing obligation and have insufficient time to gather the necessary information to complete the FBAR.

There are a few instances that the filing requirement seems unclear and really unexpected, so the IRS further extended the filing deadline in two instances:

  1. Persons with no financial interest in a foreign financial account but with signature or other authority over the foreign financial account.
  2. Persons with a financial interest in, or signature authority over, a foreign financial account in which the assets are held in a commingled fund.

If that is you, then then you have until June 30, 2010 to file FBARs for the 2008, 2009 and earlier calendar years.

In the first instance, company officers and employees were caught off guard that they need to personally file an FBAR for company accounts. As part of IRS Notice 2009-62 (.pdf), the Department of the Treasury is requesting comments regarding when a person with signature authority over, but no financial interest in, a foreign financial account should be relieved of filing an FBAR for the account. Especially, when the person with a financial interest in the account has filed an FBAR.

The second instance was triggered by statements made by the IRS in June indicating their view that the term “foreign commingled fund” includes private investment funds organized outside the United States. As part of IRS Notice 2009-62 (.pdf), the Treasury Department is asking for comments on this approach.

References:

Comprehensive Changes to Family and Medical Leave Act Regulations

On November 17, 2008, the U.S. Department of Labor published final regulations under the Family and Medical Leave Act of 1993 (FMLA).  Morgan Lewis put together this great summary of the regulatory changes: Department of Labor Enacts Comprehensive Changes to Family and Medical Leave Act Regulations (.pdf)

Legal Expenses

Mark A. Srere and Amy J. Conway-Hatcher of Morgan, Lewis & Bockius LLP wrote Legal Expenses for The Recorder (CAL LAW). The article compares the results of U.S. Department of Justice and SEC investigation against Lucent with FCPA Opinion Procedure Release 08-03.

Lucent spent millions of dollars on hundreds of trips for Chinese government officials over a three year period. The trips were primarily sightseeing and leisure activities, including Disneyland, Niagra Falls and the Grand Canyon.  Lucent also labeled the attendees as “decision-makers” who could help award new business to the company.  See The FCPA Blog’s post on Lucent.

TRACE International under FCPA Opinion Procedure Release 08-03 was merely paying out of pocket costs for journalists to cover the company’s news stories. Local journalists got lunch money and local transportation costs. Out-of-town journalists got some extra travel expenses and more meals.

TRACE tied the payments to expenses directly related to the “promotion, demonstration or explanation of the company’s products or services” and were reasonable in amount. Lucent failed both of these tests under 15 U.S.C. § 78dd-2(c)(2)(A).

Who Is a Foreign Official After the Government Bailout of Financial Instiutions?

We have all read about the bailout of US financial institutions by the US government. This is not happening in other countries.  This complicates the analysis under the Foreign Corrupt Practices Act.

As Joel M. Cohen, Michael P. Holland, and Adam P. Wolf of Clifford Chance examined in Under the FCPA, Who Is a Foreign Official Anyway?, the FCPA does not define a foreign official. An employee of a state-owned enterprise is a foreign official. But the FCPA does not define a state-owned enterprise. The Anti-Bribery Convention of OECD does a better job of defining. See International Standards for the Bribery of Public Officials.

In some of these government bailouts, the governments are purchasing equity and equity-like interests in the financial institutions. Is AIG a state-owned enterprise? The US government has the right to purchase majority ownership!

Morgan Lewis put out LawFlash on this issue: Financial Turmoil and the Expanding Reach of the FCPA.

Morgan Lewis points out that the DOJ will likely treat sovereign wealth funds as state-owned enterprises and therefore their employees are foreign officials under the FCPA.

If a government has a small passive interest in a company, then the company is probably not a state-owned enterprise. As the ownership interest increases and the management control increases the company starts looking more like a state-owned enterprise.

Merely buying assets (like crappy CMBS and CDO interests) or guaranteeing loans should not affect the treatment of the company.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?