When Acting to Prevent Data Breaches and Comply with Privacy Laws, Remember Overarching Employee Rights

more+
less-

The grocery business may be “fresh and easy,” but drafting a confidentiality and data protection policy that withstands the scrutiny of the current National Labor Relations Board (NLRB) is not. The NLRB, in its recent 2-1 Fresh & Easy Neighborhood Market and United Food and Commercial Workers International Union decision, 361 NLRB No. 8 (July 31, 2014), ruled that the company’s “confidentiality and data protection” rule violated Section 8(a)(1) of the National Labor Relations Act (the Act). This decision is a reminder that businesses acting proactively to avoid data breaches and comply with privacy laws must also consider the NLRB’s view of employee rights if an employee may be implicated in wrongdoing, regardless of the context or label placed on the workplace rule.

Section 8(a)(1) of the Act makes it an unfair labor practice for an employer “to interfere with, restrain, or coerce employees in the exercise of the rights guaranteed in Section 7? of the Act, which guarantees employees the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”

Fresh & Easy Neighborhood Market, a grocery store chain, maintained a 20-page “Code of Business Conduct” (the Code) on its website. Employees were required to follow the policies described in the Code and breaches of the Code may result in disciplinary action. The Code’s section entitled “Confidentiality and Data Protection” mandated that employees:

Keep customer and employee information secure. Information must be used fairly, lawfully and only for the purpose for which it was obtained.

In May 2012, charges were filed by the United Food and Commercial Workers International Union challenging the data protection rule, alleging that it was unlawful because employees could reasonably construe it as prohibiting the sharing of information by employees to improve terms and conditions of employment. The NLRB issued a complaint in October 2012, alleging a violation of Section 8(a)(1) of the Act and the matter was transferred to the Division of Judges. On March 22, 2013, an Administrative Law Judge concluded that there was no violation and dismissed the complaint. After the NLRB General Counsel filed exceptions, the matter was transferred to a three member panel of NLRB, including its Chairman.

Forming a majority, the Chairman and another NLRB member disagreed with the Administrative Law Judge and the third dissenting NLRB member by finding the challenged rule overbroad and therefore unlawful. When explaining their rationale, the majority stated that “employees would reasonably construe the admonition to keep employee information secure to prohibit discussion and disclosure of information about other employees, such as wages and terms and conditions of employment.”

The majority rejected the position that, taken in context, the Code’s purpose was confidentiality and data protection. The majority was also not persuaded that, in context, the reasonable employee would construe the Code as addressing ethical matters, including the company’s duty to customers and employees to respect information and responsibly use company IT. Instead, the majority construed the Code as more akin to an employee handbook that addresses work performance and may subject the employees to disciplinary action for non-compliance. The majority also observed that the Code did not contain any language limiting the types of information an employee may not disclose.

The dissenting opinion relied in part on Mediaone of Greater Florida, Inc., 340 NLRB 277 (2003) and Community Hospitals of Central California v. NLRB, 335 F.3d 1079 (D.C. Cir. 2003) for the proposition that “employees would reasonably interpret the rule to apply only to confidential information because ‘employee information’ is found within numerous terms and phrases about confidential and collected information.” The majority found the language at issue broader and more ambiguous than the language at issue in those cases. The dissent noted that, to ensure consistency, the Board should consider the context of rules and apply familiar concepts of statutory interpretation, instead of construing rules to presume a malicious intent.

The Fresh & Easy Neighborhood Market and United Food and Commercial Workers International Union opinion illustrates the need for employers to carefully review all codes, policies, handbooks and other directives for language that might be interpreted to prevent employees from engaging in protected concerted activity. The laudable goals of avoiding data breaches and protecting employee privacy are no defenses to an overbroad policy that chills employee rights, according to the NLRB. Labeling a workplace rule a “data protection” matter or “responsible use of IT” matter does not shield a company from the long-arm scrutiny of the current NLRB.

On the other hand, businesses must take adequate precautions to protect confidential customer and employee information. For example, in the employee privacy context, a federal court recently denied a company’s motion to dismiss a lawsuit accusing it of unlawfully disclosing an employee’s injury on Facebook, even though the employee previously voluntarily disclosed the same injury in a lawsuit against the company. Shoun v. Best Formed Plastics, Inc., Case No. 3:14-cv-00463, 2014 WL 2815483 (N.D. Ind. June 23, 2014).

Readers of this blog are well aware of the consequences of failing to protect customer information. Interestingly, the union in Fresh & Easy expressed disappointment that the NLRB did not expressly hold that employees have the right to use customer information for legitimate organizing purposes.

As stated, businesses should carefully review all codes, policies, handbooks (and any other policy that could result in discipline to employees) for language that might be interpreted to prevent employees from engaging in protected concerted activity. Striking the proper balance between properly-protecting customer and employee data and chilling employee rights is a matter that requires close attention, coordination, and continued monitoring.

In addition to reviewing policies, companies must also consider workplace practices. The complexity of whether employee rights are being “chilled” in the investigation context is illustrated by another recent NLRB decision, also involving Fresh & Easy Neighborhood Market. As stated, Section 7 of the NLRA protects “concerted” activity and this typically involves two or more employees acting together for mutual aid or protection. On August 11, 2014, the full five-member NLRB, in a split-decision, held that an employee soliciting the help of co-workers under federal or state statutes benefiting employees engages in Section 7 protected activity.

In Fresh & Easy Neighborhood Market Inc. and Margaret Elias, Case Number 28-CA-064411 (Aug. 11, 2014) the NLRB considered whether a Fresh & Easy cashier engaged in protected activity by asking co-workers to sign a statement indicating that they had seen a picture that the cashier found offensive. The cashier had observed a workplace drawing she deemed offensive and complained of harassment. The NLRB determined that the cashier engaged in protected activity, even if the issue appeared to concern only the cashier. The dissent emphasized that the majority holding seemingly found protected activity as long as an individual employee seeks the involvement of another employee also covered by the statute, regardless of whether the second employee is willing to help or believes there is a shared interest. Despite finding protected activity, the NLRB concluded that the employer did not violate the law by questioning the cashier because management merely instructed her not to obtain additional statements so that it could conduct a thorough and impartial investigation. The cashier was not precluded from speaking with co-workers during the investigation.

The recent NLRB decisions involving Fresh & Easy Neighborhood Markets highlight danger zones for well-intentioned companies seeking to balance competing legal concerns. The closely divided NLRB opinions in both cases illustrates that reasonable managers may not agree with the holdings or understand where the NLRB draws the line. As a result, companies should deliberately consider whether revisions to its written policies are appropriate and training on appropriate practices is worthwhile.

Topics:  Confidential Information, Data Protection, Employee Rights, Employer Liability Issues, Employment Policies, Fresh & Easy, Grocery Stores, NLRA, NLRB

Published In: General Business Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »