1. Advanced Technology Seminar Cyrus Daftary & Todd Krieger Cyrus Daftary & Todd Krieger March 17, 2014 Privacy

2. 2 Agenda  Administrative Discussion  Employee Privacy Rights  Individual / Consumer Privacy  Questions and Answers

3. 3 Administrative Discussion Creating a web page link in MSWord: http://office.microsoft.com/en-us/word-help/create-format-or- delete-a-hyperlink-HA010165929.aspx#BM1 “Select the text or picture that you want to display as the hyperlink. On the Insert tab, in the Links group, click Hyperlink. You can also right-click the text or picture and then click Hyperlink on the shortcut menu. Do one of the following: To link to an existing file or Web page, click Existing File or Web Page under Link to, and then type the address that you want to link to in the Address box. If you don't know the address for a file, click the arrow in the Look in list, and then navigate to the file that you want. To link to a file that you haven't created yet, click Create New Document under Link to, type the name of the new file in the Name of new document box, and then, under When to edit, click Edit the new document later or Edit the new document now.”

4. Update: Linking liability  Gawker.com published an article on the leaking of “The Hateful 8” script.  Story included third party link to script.  Story: http://defamer.gawker.com/here- are-plot-details-from-quentin-tarantinos- leaked-1507675261  Complaint: http://www.scribd.com/doc/202556960/Tar antino-v-Gawker-COMPLAINT-Hateful- Eight-copyright-screenplay-leak 4

5. 5 Employee Technology Privacy Rights  How private are employees’ personal e- mails sent from work accounts?  How private are employees’ online activities?  How private are employees’ computer activities?

6. 6 A. Should Employees have a Reasonable Expectation of Privacy? McLaren case: (Bill McLaren Jr. v. Microsoft)  Facts: accused of sexual harassment and ‘inventory issues.’  Cause of action: invasion of privacy (Texas). (1) Intrusion on the plaintiff’s seclusion or solitude or into his private affairs; (1) Intrusion on the plaintiff’s seclusion or solitude or into his private affairs; There are two elements to this cause of action: (1) an intentional intrusion, physically or otherwise, on another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person. There are two elements to this cause of action: (1) an intentional intrusion, physically or otherwise, on another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person.

7. 7 Should Employees have a Reasonable Expectation of Privacy (cont’d) ? McLaren case:  Argument: Is a password encrypted e-mail account like a locker at work?  How do their purposes differ?  Conclusion: “the company’s interest in preventing inappropriate and unprofessional comments, or even illegal activity, over its e-mail system would outweigh McLaren’s claimed privacy interest in those communications.”  “Employees have no reasonable expectation of privacy in electronic communication” (Hale and Dorr Internet Alert, July 10, 2002).

8. 8 Class Discussion: Had Quon Brought Back an Expectation of Privacy in the Workplace? Quon v. Arch Wireless:  Facts: City provided pagers to police officers City provided pagers to police officers Policy prohibited personal use Policy prohibited personal use Officers could pay for ‘overages’ Officers could pay for ‘overages’ City requests pager records from Arch Wireless City requests pager records from Arch Wireless Audit turns up extensive and explicit ‘personal use’ Audit turns up extensive and explicit ‘personal use’  Stored Wire and Electronic Communications Act [ 18 U.S.C. §§ 2701-2711 (1986)]  Compare with Warshak?  How about cell tower records? [  How about cell tower records? [ No.08-4227 3 rd Circuit Court of Appeals)] XXX OOO

9. 9 Business Risks to Unregulated Employee E-mail Access  Hostile or harassing work environment from inappropriate downloaded or forwarded messages or images. In 1995 Chevron settled a sexual harassment claim for $2.2 million caused by several factors, including an e-mail listing ‘25 reasons beer is better than women.’ This action preceded the company’s anti-harassment policy (NYLJ 8/23/99). In 1995 Chevron settled a sexual harassment claim for $2.2 million caused by several factors, including an e-mail listing ‘25 reasons beer is better than women.’ This action preceded the company’s anti-harassment policy (NYLJ 8/23/99).  Reduced productivity from employees spending too much time with personal e-mails.  Inappropriate or protected information posted online from workplace computers. Source: www.haleanddoor.com/internet_law/burton.html

10. 10 E-mail and Internet Use Policy is Critical in the Workplace  Two Supreme Court cases created a new standard for sexual harassment liability: 1) Tangible employment action: no defense 1) Tangible employment action: no defense (ex: termination or demotion). 2) Affirmative defense: 2) Affirmative defense: Exercised reasonable care to prevent and correct harassing behavior and;Exercised reasonable care to prevent and correct harassing behavior and; Employee unreasonably failed to take advantage of employer’s policy.Employee unreasonably failed to take advantage of employer’s policy. Source: Burlington v. Ellerth 535 US 742; Faragher v City of Boca Raton 524 US 775 (1998).

11. 11 Does Monitoring Employee e-mail Violate ECPA?  Electronic Communications Privacy Act of 1986 (18 USC 2510): Prohibits interception of electronic communications, including e-mail affecting interstate or foreign commerce. Prohibits interception of electronic communications, including e-mail affecting interstate or foreign commerce. Permits interception if there is consent. Permits interception if there is consent. Provides a business exception for delivered communications (monitoring must not be excessive and have a legitimate business purpose): Fraser v. National Mutual Ins. Co. Provides a business exception for delivered communications (monitoring must not be excessive and have a legitimate business purpose): Fraser v. National Mutual Ins. Co. Councilman case discussion Councilman case discussion  Smyth v. Pillsbury: No reasonable expectation of privacy, despite employer’s policy.

12. 12 How Far Can An Employer Reach?  Can an employer terminate an employee for activities on Facebook? Souza & Costco cases set NLRB standards. Souza & Costco cases set NLRB standards.  Should an employer be able to see an employee’s FB account?  Does an employer have a duty to monitor online chat rooms technically outside of the workplace? Blakey v. Continental : if employer knew about harassing comments, it had a duty to stop them (164 NJ 38). Blakey v. Continental : if employer knew about harassing comments, it had a duty to stop them (164 NJ 38).

13. 13 Many Companies Claim To Monitor Employee Activities 2001 AMA Survey Computer files 36.1% E-mail46.5% Internet activities 62.8% Sources: CFO 9/2001 – AMA 2001 Survey, press.amanet.org/press-releases Most companies who monitor employee activities cite potential liability as the primary reason for monitoring. 2007 AMA Survey 45% 43% 66%

14. 14 More Employers are Investigating Online Activities  28% of employers surveyed by AMA fired employees for e-mail misuse.  30% of employers fired employees for Internet misuse.  Aggressive investigations could impact employee morale.  Companies are now aggressively blocking access to inappropriate web sites and automatically monitoring employee activities.

15. 15 Investigations May Be Triggered By:  Excessive consumption of resources Downloads or uploads that tie up the network Downloads or uploads that tie up the network Hard drive filled with questionable content Hard drive filled with questionable content  Colleague complaints  Vigilant technical staff  Odd behavior  Odd behavior  Activities triggering alarms on monitoring software.

16. 16 Monitoring Technologies  Software solutions Monitor incoming and outgoing e-mail Monitor incoming and outgoing e-mail Capture screen shots at regular intervals Capture screen shots at regular intervals Monitor online activities Monitor online activities Filter keywords and file types Filter keywords and file types Example: www.spectorsoft.com Example: www.spectorsoft.comwww.spectorsoft.com  Hardware solutions Keystroke logger captures up to 2 GB of keystrokes, including user names and passwords. Small physical device runs independently of applications. Not susceptible to anti-spy software applications. Keystroke logger captures up to 2 GB of keystrokes, including user names and passwords. Small physical device runs independently of applications. Not susceptible to anti-spy software applications. Example: KeyLlama (www.KeyLlama.com). Example: KeyLlama (www.KeyLlama.com).

17. 17 Consumer Privacy We’ll address information security in another lecture

18. 18 “ You Already Have Zero Privacy – Get Over it” (Sun CEO Scott McNealy 2000)  Abacus Ad: “This family just spent $425 for a down comforter, $225 for lighting…they have 5 more rooms [to go], want their address?”  http://lists.nextmark.com/market?page=order/online/data card&id=216497 How about a mailing list of customers who suffer from: “Allergies, Arthritis, Cancer, Diabetes, Heart Burn, Heart Disease, Impaired Vision, Potency…” How about a mailing list of customers who suffer from: “Allergies, Arthritis, Cancer, Diabetes, Heart Burn, Heart Disease, Impaired Vision, Potency…”  http://www.pharmdirectmail.com/

19. Data Brokers (60 Minutes)  http://www.cbsnews.com/news/the-data- brokers-selling-your-personal-information/ 19

20. 20 Technology Related Privacy Concerns  Social Networks  Identity and Information Theft, Phishing  Spam (Usenet abuse / evolved into unsolicited commercial e-mail)  Reverse Computer Trespass / Data Mining / Spyware (Common Gateway Interface – execute a program on host; examine files; install software) )  E-mail Interception  Children  Geotracking  http://www.google.com/intl/en/policies/privacy/preview/  We will address security and digital discovery in another lecture.

21. 21 Consumer Concerns  The intrusion into personal affairs and how to prevent it: Suspicious of surreptitious monitoring of online activities. Suspicious of surreptitious monitoring of online activities. Web surfers are not aware of what information collected or where it is going. Web surfers are not aware of what information collected or where it is going.  The free exchange of information and ideas concept is not compatible with private information.  Stronger feeling of control with mail or telephone disclosure.

22. 22 Consumer Concerns (cont’d)  Privacy and security are related concerns; a lapse in privacy protection may mean there was a security breach;  Host victim of security breach may not be able to find the culprit, but could still be liable to users who are harmed by the breach;  Privacy law may fall behind Internet technology. Most states require companies to disclose if the personal data of a resident is compromised.

23. 23 Business Needs  Track site usage and visits to better understand customer patterns and needs.  Cost effectively market to potential customers.  Generate leads.  Track effectiveness of marketing and advertising.  Generate revenue for third party advertisers.

24. 24 Consumer Risks  Intercepted wireless communications: Mobile device Mobile device Wireless laptop Wireless laptop  Unauthorized data access Bank or credit card company Bank or credit card company Work Work Online shopping sites Online shopping sites Social networks Social networks  Exposed data Personal information Personal information Financial information Financial information Computer files Computer files Access to employer’s network. Access to employer’s network.

25. 25 Internet Privacy - Definitions  “Cookie” - a data file written onto a user’s hard drive by programs invoked by web page functions.  “Web Bugs” or “Secret Traces” or “Pixel Beacons” – (1 x 1 pixel) GIF image, usually invisible, allowing the sender of an e-mail or host of a web site (and third parties) to load cookies on the user’s machine which then can track the user’s movements across multiple sites (DoubleClick.com employed such technology).  “Flash Cookies or Locally Stored Objects” – Secondary ‘cookies’ not ordinarily removed when a user purges cookies. http://www.macromedia.com/support/documentation/en/flashplayer/help /settings_manager06.html http://www.macromedia.com/support/documentation/en/flashplayer/help /settings_manager06.html  “Cyberstalking” – using the Internet to stalk an individual.  “Spyware”- software tracking activity on a computer without consent.  “History Sniffing”- data stored in a web browser to ascertain what other sites the user has visited.

26. 26 Online Privacy Legal Framework  Federal Trade Commission - fair advertising standards  Local and State laws  Federal Statues: COPPA (http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm) COPPA (http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm) Gramm-Leach-Bliley Act of 1999 (financial privacy) Gramm-Leach-Bliley Act of 1999 (financial privacy) HIPAA / HiTech (protected health info) HIPAA / HiTech (protected health info)  Evolving Common Law  EU Data Privacy Directive

27. 27 FTC Privacy Policy Recommendation  Notice: let them know you are collecting data.  Choice: can they opt out of participating in the data collection?  Access: who can view the data?  Security: can anyone else get to the data?  Practical note: don’t keep your policy static and claim it will never change - companies are acquired or go out of business? What if the court compels disclosure? Source: www.ftc.gov

28. 28 Tracking Technology  History sniffing: Should e-mailers be able to determine how often a message was read and by whom?  Should they be able to ascertain the I.P. address, host, and computer type of the recipient? What if a vendor priced its products based on the recipient’s processing speed or the value of the computer? What if a vendor priced its products based on the recipient’s processing speed or the value of the computer? http://www.proxyway.com/www/privacy-test.html http://www.proxyway.com/www/privacy-test.html

29. 29 Online Privacy Mishaps  FTC v. Geocities: Geocities violated their own privacy policy and distributed data collected from children.  Travelocity accidentally posted the names, addresses, (some) telephone numbers, and e-mail addresses of 15,000 contest entrants in an online link (http://www.dmnews.com/articles/2001-01-22/12804.html).  Prozac sent out an e-mailing to subscribers and disclosed all of the e-mail addresses in the header (Eli Lilly case available at www.ftc.gov).  More than 45 verdicts have been challenged in the past two years because of internet related juror misconduct (Reuters Legal).

30. 30 Detailed Policies Can Help Minimize Risk  Clients need a mechanism in place to: Avoid privacy lapses Avoid privacy lapses Address and investigate any mishaps Address and investigate any mishaps  New Massachusetts GL 93H creates an obligation to have robust policies  Privacy audits can yield surprising insight  Different divisions of the same company may not realize their impact on privacy practices Telemarketing Telemarketing Online marketing Online marketing E-mail marketing E-mail marketing Direct (mail marketing) Direct (mail marketing) Customer service departments Customer service departments Advertising Advertising

31. 31 Other Considerations:  European Union privacy directive. Notice (what is collected and why?)Notice (what is collected and why?) Choice (opt out)Choice (opt out) Access (individuals can view and correct data)Access (individuals can view and correct data) Must have unambiguous consent for data collection Must have unambiguous consent for data collection Prohibition on data export without consent - including H.R. data sent from subsidiaries to U.S. company Prohibition on data export without consent - including H.R. data sent from subsidiaries to U.S. company Local statutes may include civil and criminal penalties Local statutes may include civil and criminal penalties Safe Harbor participants violating the directive face potential U.S. fines from the Dept. of Commerce: see http://www.export.gov/safeharbor Safe Harbor participants violating the directive face potential U.S. fines from the Dept. of Commerce: see http://www.export.gov/safeharbor

32. 32 Questions & Answers