When Acting to Prevent Data Breaches and Comply with Privacy Laws, Remember Overarching Employee Rights

by BakerHostetler

The grocery business may be “fresh and easy,” but drafting a confidentiality and data protection policy that withstands the scrutiny of the current National Labor Relations Board (NLRB) is not. The NLRB, in its recent 2-1 Fresh & Easy Neighborhood Market and United Food and Commercial Workers International Union decision, 361 NLRB No. 8 (July 31, 2014), ruled that the company’s “confidentiality and data protection” rule violated Section 8(a)(1) of the National Labor Relations Act (the Act). This decision is a reminder that businesses acting proactively to avoid data breaches and comply with privacy laws must also consider the NLRB’s view of employee rights if an employee may be implicated in wrongdoing, regardless of the context or label placed on the workplace rule.

Section 8(a)(1) of the Act makes it an unfair labor practice for an employer “to interfere with, restrain, or coerce employees in the exercise of the rights guaranteed in Section 7? of the Act, which guarantees employees the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”

Fresh & Easy Neighborhood Market, a grocery store chain, maintained a 20-page “Code of Business Conduct” (the Code) on its website. Employees were required to follow the policies described in the Code and breaches of the Code may result in disciplinary action. The Code’s section entitled “Confidentiality and Data Protection” mandated that employees:

Keep customer and employee information secure. Information must be used fairly, lawfully and only for the purpose for which it was obtained.

In May 2012, charges were filed by the United Food and Commercial Workers International Union challenging the data protection rule, alleging that it was unlawful because employees could reasonably construe it as prohibiting the sharing of information by employees to improve terms and conditions of employment. The NLRB issued a complaint in October 2012, alleging a violation of Section 8(a)(1) of the Act and the matter was transferred to the Division of Judges. On March 22, 2013, an Administrative Law Judge concluded that there was no violation and dismissed the complaint. After the NLRB General Counsel filed exceptions, the matter was transferred to a three member panel of NLRB, including its Chairman.

Forming a majority, the Chairman and another NLRB member disagreed with the Administrative Law Judge and the third dissenting NLRB member by finding the challenged rule overbroad and therefore unlawful. When explaining their rationale, the majority stated that “employees would reasonably construe the admonition to keep employee information secure to prohibit discussion and disclosure of information about other employees, such as wages and terms and conditions of employment.”

The majority rejected the position that, taken in context, the Code’s purpose was confidentiality and data protection. The majority was also not persuaded that, in context, the reasonable employee would construe the Code as addressing ethical matters, including the company’s duty to customers and employees to respect information and responsibly use company IT. Instead, the majority construed the Code as more akin to an employee handbook that addresses work performance and may subject the employees to disciplinary action for non-compliance. The majority also observed that the Code did not contain any language limiting the types of information an employee may not disclose.

The dissenting opinion relied in part on Mediaone of Greater Florida, Inc., 340 NLRB 277 (2003) and Community Hospitals of Central California v. NLRB, 335 F.3d 1079 (D.C. Cir. 2003) for the proposition that “employees would reasonably interpret the rule to apply only to confidential information because ‘employee information’ is found within numerous terms and phrases about confidential and collected information.” The majority found the language at issue broader and more ambiguous than the language at issue in those cases. The dissent noted that, to ensure consistency, the Board should consider the context of rules and apply familiar concepts of statutory interpretation, instead of construing rules to presume a malicious intent.

The Fresh & Easy Neighborhood Market and United Food and Commercial Workers International Union opinion illustrates the need for employers to carefully review all codes, policies, handbooks and other directives for language that might be interpreted to prevent employees from engaging in protected concerted activity. The laudable goals of avoiding data breaches and protecting employee privacy are no defenses to an overbroad policy that chills employee rights, according to the NLRB. Labeling a workplace rule a “data protection” matter or “responsible use of IT” matter does not shield a company from the long-arm scrutiny of the current NLRB.

On the other hand, businesses must take adequate precautions to protect confidential customer and employee information. For example, in the employee privacy context, a federal court recently denied a company’s motion to dismiss a lawsuit accusing it of unlawfully disclosing an employee’s injury on Facebook, even though the employee previously voluntarily disclosed the same injury in a lawsuit against the company. Shoun v. Best Formed Plastics, Inc., Case No. 3:14-cv-00463, 2014 WL 2815483 (N.D. Ind. June 23, 2014).

Readers of this blog are well aware of the consequences of failing to protect customer information. Interestingly, the union in Fresh & Easy expressed disappointment that the NLRB did not expressly hold that employees have the right to use customer information for legitimate organizing purposes.

As stated, businesses should carefully review all codes, policies, handbooks (and any other policy that could result in discipline to employees) for language that might be interpreted to prevent employees from engaging in protected concerted activity. Striking the proper balance between properly-protecting customer and employee data and chilling employee rights is a matter that requires close attention, coordination, and continued monitoring.

In addition to reviewing policies, companies must also consider workplace practices. The complexity of whether employee rights are being “chilled” in the investigation context is illustrated by another recent NLRB decision, also involving Fresh & Easy Neighborhood Market. As stated, Section 7 of the NLRA protects “concerted” activity and this typically involves two or more employees acting together for mutual aid or protection. On August 11, 2014, the full five-member NLRB, in a split-decision, held that an employee soliciting the help of co-workers under federal or state statutes benefiting employees engages in Section 7 protected activity.

In Fresh & Easy Neighborhood Market Inc. and Margaret Elias, Case Number 28-CA-064411 (Aug. 11, 2014) the NLRB considered whether a Fresh & Easy cashier engaged in protected activity by asking co-workers to sign a statement indicating that they had seen a picture that the cashier found offensive. The cashier had observed a workplace drawing she deemed offensive and complained of harassment. The NLRB determined that the cashier engaged in protected activity, even if the issue appeared to concern only the cashier. The dissent emphasized that the majority holding seemingly found protected activity as long as an individual employee seeks the involvement of another employee also covered by the statute, regardless of whether the second employee is willing to help or believes there is a shared interest. Despite finding protected activity, the NLRB concluded that the employer did not violate the law by questioning the cashier because management merely instructed her not to obtain additional statements so that it could conduct a thorough and impartial investigation. The cashier was not precluded from speaking with co-workers during the investigation.

The recent NLRB decisions involving Fresh & Easy Neighborhood Markets highlight danger zones for well-intentioned companies seeking to balance competing legal concerns. The closely divided NLRB opinions in both cases illustrates that reasonable managers may not agree with the holdings or understand where the NLRB draws the line. As a result, companies should deliberately consider whether revisions to its written policies are appropriate and training on appropriate practices is worthwhile.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.