Posted on Friday, December 12 2014 at 3:54 pm by

Did Your Company’s Email Policy Just Become Invalid?



In 2007, the National Labor Relations Board (the “Board”) in Guard Publishing Co. d/b/a Register Guard held that employees do not have a right under the National Labor Relations Act (“NLRA”) to use an employer’s email system for union-related communications. Since then, employers have had broad latitude to implement and enforce workplace policies restricting employee email use for nonwork purposes. The only significant limitation has been that restrictions on the nonwork use of an employer’s email system must be applied in a nondiscriminatory manner. In other words, an employer could not prohibit only union-related emails and solicitations. The Register Guard ruling was generally based on the Board’s comparison of an employer’s email system to an employer’s bulletin board, copy machines, and public address systems and prior decisions holding that an employer could prohibit nonwork use of such equipment. On December 11, 2014 in Purple Communications, Inc., the Board reversed the Register Guard ruling and held that employees have a presumptive right to use their employer’s email systems for nonwork NLRA-protected purposes.

The Board’s Decision in Purple Communications

In Purple Communications, a union challenged an employer’s rule prohibiting employees from using the employer’s email system for “[e]ngaging in activities on behalf of organizations or persons with no professional or business affiliation with the Company” and “[s]ending uninvited email of a personal nature.” This gave the Board the opportunity to reconsider its earlier ruling in Register Guard. The Purple Communications Board labeled the Register Guard ruling, which was decided by a Republican-majority Board, “clearly incorrect.”

The Board criticized the Register Guard ruling on several grounds. First, the Board argued that the Register Guard ruling gave too much deference to employer property rights at the expense of employees’ NLRA-protected right to engage in concerted activity with respect to terms and conditions of employment. The Board argued that employees’ must be able to communicate with each other in order to exercise their statutory rights, citing the long-standing rule that an employer may generally prohibit oral solicitation at work only on employees’ working time. Second, the Board believed the Register Guard Board “inexplicably failed to perceive” how important email communications are to employees engaging in protected activity today. The Board cited to the increased use of email in the years since Register Guard was decided in 2007. The Board also concluded that email should not be treated the same as other physical company property, such as bulletin boards, copy machines, and public address systems, because the use of email by one employee does not interfere with or hinder another employee’s use of email. Indeed, the Board questioned the validity of all prior cases holding that employers can broadly prohibit nonwork use of company equipment, thus signaling that the Board may be primed to change the rules regarding employee use of those facilities in future cases.

In Purple Communications, the Board held that employers that provide email access to their employees must allow those employees to use email for NLRA-protected activities, including union-related activities, on nonworking time, unless they can demonstrate special circumstances that make a complete ban of nonwork use of email necessary to maintain production or discipline. The Board indicated that “we anticipate it will be the rare case where special circumstances justify a total ban on nonwork email use by employees” and that such special circumstances must be more than theoretical. The Board stated employers can, however, establish uniform and consistently enforced restrictions, such as prohibiting large attachments and audio/video segments, if the employer can demonstrate that such use would interfere with the email system’s efficient functioning. The Board also stated that the availability of other methods of electronic communication – e.g., Facebook, blogging, or personal email accounts – and the availability of face-to-face communication is not relevant and cannot be relied upon to justify a complete ban.

The Board clarified that its ruling in Purple Communications addresses only email systems and the use of email systems by employees, rather than by nonemployees. Additionally, an employer is not required to grant email access to employees if it has chosen not do so. The Board rightly anticipated that its ruling would raise questions about an employer’s right to ensure that employees are using email for nonwork purposes only during nonworking time. The Board clarified that its ruling does not impact an employer’s right to monitor its computer and email systems for legitimate management reasons, such as ensuring productivity and preventing harassment. An employer may not, however, increase monitoring during union-organizing campaigns or focus its monitoring efforts on protected conduct or union activists. The Board also confirmed that an employer can continue to notify employees that it will (or reserves the right to) monitor their email communications for legitimate management reasons and that employees may have no expectation of privacy in their use of the employer’s email system.

Practical Implications

Relying on Register Guard, many employers have adopted or maintained policies prohibiting or limiting employee use of employer email systems for nonwork purposes. Most such policies are now facially invalid, and the maintenance of them is an unfair labor practice under the NLRA, even if not adversely applied to a particular employee. Employers that provide email access to employees should review their email policies and practices to ensure that they comply with the standards set forth in Purple Communications. Any nonwork limitation that infringes on employees’ NLRA rights must be justified by a “special circumstance,” which will be difficult to establish.

In Purple Communications, the Board questioned the validity of all prior cases holding that employers could broadly prohibit the nonwork use of their physical property. In particular, the Board discussed and rebutted at length the justifications for protecting employer telephone systems, suggesting that they could be the next to fall. Thus, employers should also revisit their policies prohibiting nonwork use of bulletin boards, copy machines, telephone systems, and other physical property and consider whether manageable restrictions are possible, rather than complete bans.

Posted on Monday, November 24 2014 at 11:58 am by

CFPB Proposes Rules For Prepaid Products — Including Mobile


By Aaron M. KaslowErich M. Hellmold and  Kevin M. Toomey

On November 13, the Consumer Financial Protection Bureau (“CFPB”) released a proposed rule (the “Proposal”) that would provide significant consumer protections for prepaid accounts through substantial amendments to Regulation E (Electronic Fund Transfer Act) and Regulation Z (Truth in Lending Act). Prepaid products, which are becoming viewed as a bridge between the unbanked and traditional deposit products, are consumer accounts typically loaded with funds by a consumer or by a third party, such as an employer. According to the CFPB, prepaid products are amongst the fastest growing types of consumer financial products in the United States. The Proposal would afford consumers using these emerging products the protections currently provided to existing financial products.

Specifically, the CFPB proposes to define prepaid accounts under Regulation E and Regulation Z to cover a variety of prepaid financial products, including: traditional prepaid cards; mobile and other electronic prepaid accounts that can store funds; payroll cards; government benefit cards; child support; pension payments; student financial aid disbursement cards; tax refund cards; and peer-to-peer payment products.

The Proposal would extend certain existing consumer protections – such as those available to credit card holders, payroll card accounts and certain benefit accounts – to these covered prepaid accounts in an effort to provide (1) easy and free access to account information; (2) error investigation and resolution rights; (3) fraud and lost-card protection; (4) additional disclosures designed to inform consumers and allow them to better compare prepaid products; and (5) an extension of those protections afforded credit card consumers.

Notably, the Proposal would:

  • Prohibit an institution from opening a credit card account or increasing a line of credit related to a prepaid account unless that institution considers the consumer’s ability to make the required payments;
  • Require that financial institutions provide consumers with at least 21 days to repay debt tied to a prepaid account before charging a late fee that is “reasonable and proportional” to the violation of the account terms;
  • Generally require financial institutions to limit fees during the first year following the opening of a prepaid account to 25 percent of the credit limit and prohibit them from increasing the interest rate on existing balances unless two consecutive payments are missed; and
  • Prohibit an institution from opening a credit card account or providing a solicitation or application to open a credit account to the prepaid account customer within 30 days of a consumer registering the prepaid account.

Comments on the Proposal must be submitted to the CFPB within 90 days from publication in the Federal Register.

The following is a link to the Proposal:

The following is a link to the proposed disclosures:

To view a printer-friendly copy of this alert, click here.

Posted on Monday, October 6 2014 at 8:25 pm by

Did You Notice that California’s Data Breach Law Weather Vane Stopped Moving?

1 Weathervane_-_American_Folk_Art_Museum_NYC_-_IMG_5880

Authors: Jon Neiditz and Rishad Patel

California continues to lead the nation in privacy laws about which the nation has not begun to get excited enough.  Jon, for one, feels much safer now that paparazzi drones are prohibited.  And minors can say what they want on social media without scarring their academic records, as long as their parents are willing to leave the district (or move to California) and lie low for a year.

Against this backdrop of new ideas, the bill that had much of the business world scared in “the year of the data breach”—this year’s modification to California’s 2003 world-leading data breach notification statute—turned out not to change the status quo much at all.  A.B. 1710 had a wild youth, shooting arrows at merchants, then banks, then merchants again, but by the time Governor Jerry Brown signed it on September 30, it had grown older and wiser.  Its Bildungsroman tells us a lot about where data breach laws may come to rest.

“Maintainers” of Information Just Have One More “Reasonable Security” Obligation

In its wild youth, A.B. 1710 started out wanting to require “maintainers” of information on behalf of “owners or licensees” of that information (the old formulation from the 2003 law that spread across the country) to get consumer notification obligations just like the ones owners or licensees have.  Yes, in a brave gesture of economic self-destructiveness, the center of the big data, cloud computing universe was going to require all organizations holding information to go directly to their customers’ customers, rather than continuing to require them to tell their customers so that their customers can give consumer notice.

Having put away childish things, A.B. 1710 now just requires the maintainers to  implement reasonable security procedures and practices appropriate to the nature of the information.  Not only were they already to be required by contract to do the same thing, but in most cases the FTC holds them to a very similar standard, so the net-net is no big deal.  Of course, connoisseurs of “reasonable security” know that it exists only in the eyes of the regulator, so the maintainers have a strong interest now in consistent understandings between the California Attorney General and the FTC, which is not always easy.

 “If Any,” Identity Theft Prevention and Remediation Services Must Be Free for a Year

In its wild youth, AB 1710 would have required credit monitoring in response to all breaches. We have been trying to depict this as a crazy idea for years, even though the big retailers keep the craziness going, to the benefit of  lawyers, crisis managers and credit monitoring companies and detriment of stock prices and career longevity.  Having put away childish things, A.B.1710 rightly contemplates “identity theft prevention and mitigation services” for breaches of social security numbers, driver’s license numbers and California ID numbers (i.e., numbers that are hard to change), and does not contemplate such services for breaches of credit or debit card numbers, financial account numbers or medical or health insurance information (where protection can be offered in other ways).  So now you know what to think of  authors of articles telling you that A.B. 1710 was passed in response to highly visible retail breaches like Target and Home Depot (which involved types of information not touched by the new law).

Moreover, the late inclusion of  the magic words “if any” in connection with such services clearly indicates that the law does not mandate such services, but requires that if they are offered, they must be offered at no cost to the affected individuals for at least 12 months.  This is, of course, the standard minimum offering of such services (after which the “identity theft prevention and mitigation services” will begin to upsell unless you require them by contract not to do so).  So contrary to what you read as recently as a few days ago, California did NOT become the first jurisdiction in the world to require such services.

Prohibition on Sales of Social Security Numbers with Business Transaction Exception

The final substantive change introduced by A.B. 1710 is the prohibition on selling, advertising for sale, or offering to sell an individual’s social security number.  The law further prohibits releasing an individual’s social security number for marketing purposes. The prohibition is subject to the exceptions already contained within the bill, such as releasing information for internal verification or administrative purposes and exceptions for healthcare providers.  The final version added an additional exception that will allow businesses to sell or release an individual’s social security number when such release or sale is incidental to a larger, legitimate business transaction.

The wording of the exception – “incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” – could be problematic.  While clearly aimed at not hindering legitimate business activities such as a merger, whether a social security number is “necessary” to identify an individual, as opposed to using another type of identification verification, will be open for interpretation and could lead to uncertainty in application.

The Calm Before the Storm?

Is the wind going out of the data breach sails?  Not the encryption sails, to be sure; we are indeed entering the age of encryption.  Yes, one of the sponsors of A.B. 1710 says he is going to fight for stricter notification as well as encryption standards.  As the other sponsor said, breaches are not going away.  What happened with A.B. 1710, however, involved some pointless and expensive overreach going away.  By treating breaches of social security and driver’s license numbers differently than breaches of other sensitive information, California lawmakers have shown that they are beginning to understand that all data breaches, and the underlying sensitive information, are not the same and require different types and levels of attention and remediation.  The next step would be finally facing up to the fact that data breaches of credit card primary account numbers and email addresses need not actually harm consumers or even merchants or banks (except for reissue costs) if handled better.  Be safe, though; don’t hold your breath.

Posted on Monday, September 22 2014 at 1:45 pm by

Why the Privacy Crisis is Just the Tip of the Knowledge Asset Crisis

KM1Source: Grant Thornton LLP 2014 Corporate General Counsel Survey, conducted by American Lawyer Media

1.  Privacy is a much bigger deal now than Scott McNealy ever thought it would be.

Privacy literally went from the basement to the boardroom over the last few years, and is now reportedly the top regulatory concern for general counsels (and boards).  Even more importantly, regulatory and compliance issues do not even rise to the top of the privacy and cybersecurity worries, with customer privacy, “unknown and unidentified risks” and “undetected breaches” among the top concerns:


Source: Grant Thornton LLP 2014 Corporate General Counsel Survey, conducted by American Lawyer Media

2.  But privacy will soon be the least of your information risk management worries.

In this post, you will come to see why the apparent privacy crisis is really just the tip of the information risk iceberg. The elevation of privacy concerns parallels and draw on a bigger and longer-term trend: the ever-increasing valuation of databases, trade secrets and IP.  We call those knowledge assets.

As you may know, intangible assets generally represent about 3/4 of corporate market value, and knowledge assets generally represent about 2/3 of the value of intangible assets now.   Another way to look at that is you have the first quarter of organizational value that is tangible assets, then the intangibles that are brand and employee competencies make up a third of the rest, and that leaves knowledge assets as about 1/2 of the value of all corporate assets:

Knowledge AssetsFor many organizations, knowledge assets are already a bigger overall business issue than privacy and cybersecurity are a risk issue.  Knowledge assets as a percentage of market value have always varied substantially by industry:

Industry Knowledge Assets($Billions) Market Value($Billions) Knowledge Assets as a Share of Market Value
Energy $773 $2,027 38.12%
Software & Services $749 $1,408 53.24%
Insurance & Other Finance $745 $1,914 38.93%
Capital Goods $632 $1,313 48.18%
Pharmaceuticals, Biotech, Life Sci. $532 $1,019 52.17%
Technology: Hardware, Equipment $495 $1,053 47.00%
Food, Beverage & Tobacco $443 $764 57.94%
Media $378 $504 75.07%
Materials $349 $737 47.42%
Healthcare Equipment & Services $348 $650 53.60%
Telecommunication Services $292 $406 71.92%
Retailing $267 $610 43.69%
Diversified Financials $212 $1,074 19.77%
Semiconductors & Equipment $191 $440 43.41%
Household & Personal Products $182 $300 60.82%
Consumer Services $170 $339 50.34%
Food & Staples Retailing $161 $383 41.97%
Transportation $142 $293 48.53%
Real Estate $139 $462 30.10%
Banks $133 $554 23.98%
Automobiles & Components $133 $213 62.26%
Consumer Durables & Apparels $104 $225 46.33%
Commercial & Professional Services $91 $162 56.15%
Utilities $4 $510 0.77%
TOTAL $7,665 $17,360 44.16%

Source:  Kevin A. Hassett and Robert J. Shapiro, “What Ideas Are Worth: The Value of Intellectual Capital and Intangible Assets in the American Economy,” Sonecon, September, 2011.  Based on 2009 industry data from the Bureau of Economic Analysis.  These numbers are of course dynamic; with smart grid, for example, utilities are rocketing upward in percentage of knowledge assets.

The arc of information security has been tracking the increasing focus on knowledge assets.  Gone are the days when organizations could treat data security as principally a compliance issue with a privacy regulatory structure such as HIPAA, GLBA, or EU data protection, or regard its principal focus as preventing the disclosure of personal information. Now cybersecurity is driven principally by global cyberthreats, commercial espionage and the lack of a secure internet, and focused on knowledge assets as well as sensitive (e.g., personal) information.  Moreover, because now all systems are vulnerable and most systems are infected, the focus must be on resilience and adaptability, detection and response in addition to the former focus on protection.   With the bad actors and agents now on the inside, cybersecurity is much more a subtle risk management challenge than a compliance challenge, an area of limited control therefore more suitable than ever for risk transfer through insurance.

3.   [Marylin grabs the Massey prenup and tears it] “Darling, you’re exposed!”

Now here is the kicker:  Just as your organization begins to recognize the value and vulnerability of its knowledge assets and tries to protect them, your insurer — probably drawing on an exclusion the Insurance Services Office issued in 2013 — is in the process of excluding or narrowing all of your coverage of knowledge assets under your comprehensive general liability insurance policy.  To make up for that exclusion, they offer you a cyber-risk policy that only covers breaches of personal information, not theft or loss of knowledge assets.  Generously, in the chart below, personally-identifiable information (PII) is counted as 10% of corporate market value; that still leaves the vast majority of intangible assets uncovered.

Insurance CrisisThis, friends, is the big bottom of the ‘berg, the big uncovered area of knowledge asset protection that you can now only address through suing your insurer before your policy gets the new exclusion (and it is a good time for that), your own work in information governance and knowledge asset protection (our stock in trade), and manuscripted coverage that will become more standard as demand builds.   In upcoming posts, we will share many ideas and lessons learned.  But wait, is he going to end for now with one of those stock iceberg images that so dominate big data posts even now, as big data floats, becalmed, in the Trough of Disillusionment of the Hype Cycle?   No, it’s, it’s…..

Moby_Dick_p510_illustration (1)


Posted on Sunday, September 7 2014 at 6:09 pm by

The New Healthcare Networks — Now


1. The Collision

Technology worlds are colliding now in ways that may give the US healthcare system its last and best chance both to heal itself and to improve health. The collision gives health care institutions an opportunity to remain at the center of US healthcare, but at the center of larger new networks not just of providers and health insurers, but networks that include both medical device manufacturers and 24/7 connectivity to patients who need it. Before this collision, US healthcare has been about curing us, not making us healthy, as the numbers make clear:

OECD Source: OECD Health Statistics 2013,; World Bank for non-OECD countries.

What in particular is costing so much? Care for chronic illnesses and comorbidity (which is the same thing, because it just means patients with more than one chronic condition, who cost up to 7 times as much as patients with only one chronic condition):

chronic Copyright © 2008–2014 Center for Healthcare Research & Transformation

Before the impending collision, there is a world of biomedical technology – generally bigger, heavier, more expensive equipment purchased by provider organizations and devoted to curing medical conditions, and a newer world of health and fitness apps – generally smaller, lighter and cheaper and purchased by consumers.

The role and functions of biomedical technology have been morphing ever-faster in the big data world. Now the technology generally needs to change and learn and produce valuable information as it is used, generally by gathering information that is protected health information (PHI) under HIPAA. So the manufacturer of the technology, previously exempt from HIPAA, now becomes a business associate directly subject to HIPAA’s security standards (We are seeing it happen both in the provider negotiations and in the business plans of the manufacturers.).

As a business associate of its health care institutional customer, the manufacturer can not only get PHI from the customer; it can create and send PHI back to the customer, the provider and potentially the patient. The “velocity” of big data will be most powerful as it generates real-time insights impacting care and health decisions, and for those insights to be effective, experts or expert systems need to be able to properly interpret their messages at the point of care or health decisions.

What of the other tech world of health and fitness apps, thought to be the province of fitness zealots, quantifiers of the self, Tom Wolfe’s “social x-rays,” and other people with more time on their hands than us average Joes (or lazy slugs, your choice)? The biggest problem/opportunity for those apps in solving the woes of our healthcare system is that people with chronic diseases are precisely those who need care when they are living their lives away from the bigger, heavier, more expensive technology, but the early adopters of the health and fitness apps that go anywhere your phone and other sensors go are those with health to burn. And because neither we as a society nor those early adopters as individuals have any really compelling reasons to care about incremental improvements in their health, the health and fitness apps can be and often are tossed as soon as their users tire of them. And being so healthy, what does a fitness app user care if his or her information is breached? Nobody loses insurance or a job due to a BMI of 21 rather than 20.

On the other hand, who needs real-time information 24/7 more than someone trying to manage her or his own chronic disease, or someone trying (or something designed) to improve the health or contain the health care costs of that person? And as the literature of health apps tell us, those apps will keep getting used if someone who cares and is respected by the user is at the other end. The impending collision between the disruptive consumer health tech and the established biomedical tech creates the huge opportunity for the disruptive tech to get to the people who need it and to whom we need to get it. But they need serious information security and privacy….

2. The New Networks

Four factors point the way to a structure of the new health care networks with the provider institution in the center:

  • The selection, interpretation and integration of information flowing both from the biomedical technology manufacturers and from consumer health apps all need an expert, experts and/or expert systems;
  • After all of our unsuccessful tinkering with the health care system, we still trust our doctors;
  • A strong and trustworthy maintainer of the privacy and security of health information is necessary for patients to consent (opt in) to participate in the new programs, which given current and likely future cyber-threats means sophisticated and adaptive security; and
  • Love it or hate it, HIPAA, the privacy/security legal/regulatory structure that was put in place when government had not yet come to a standstill (and therefore not likely to be repealed any time soon), made the provider the covered entity on whose behalf the business associates (here the medical technology manufacturer and connected health apps) create, store, use and communicate PHI.

Here, by “connected health apps,” I mean apps that can connect into the health care system because they can credibly enter business associate agreements. The increasing demand for such apps is leading to the creation of platforms and rules that help enable compliance with those agreements and business associate regulatory requirements by the apps developed on those platforms and in accordance with those rules. If such platforms succeed, then, patients/consumers will be able to trust the security and privacy of the system enough to connect (opt in) to it, and will be connected to someone they still appear to trust – their doctors – through a system strongly incented to maintain trust – a medical institution’s information systems.

Mobile health, biomedical devices, what else? To stimulate debate and thinking — and believe me, it did! — I even advocated health systems taking information from data brokers, because if data brokers become business associates, consumers will (for the first time) have many of the rights — e.g., access, amendment, accounting of disclosures — that those who seek due process in the “scored society” could want.

Being at the center of this collision and these new networks is very good news for US hospitals, in my humble opinion. When digital health leader Dr. Eric Topol said that in 20 years,

Hospitals, except for certain key functions like intensive-care units and operating rooms, will be completely transformed to data-surveillance centers,

I wondered whether he might be too optimistic about hospitals. Why put a data surveillance center in a hospital? Who or what will do the surveillance? The current collision and its aftermath, however, keep the medical system in the middle between the patient, physician and medical technology. That is why I humbly suggest that this collision may give the US healthcare system its last and best chance both to heal itself and to improve health.


Posted on Thursday, August 28 2014 at 5:56 pm by

President Obama Nominates Kilpatrick Townsend’s Danny Marti as U.S. Intellectual Property Enforcement Coordinator


WASHINGTON, D.C. (AUGUST 28) — Kilpatrick Townsend & Stockton announced today that President Obama has nominated firm partner Danny Marti as U.S. Intellectual Property Enforcement Coordinator. Mr. Marti, who is currently Managing Partner of Kilpatrick Townsend’s Washington, D.C. office, would become just the nation’s second U.S. Intellectual Property Enforcement Coordinator by replacing Victoria Espinel who stepped down from the position in August 2013.

The Office of the U.S. Intellectual Property Enforcement Coordinator is dedicated to the protection of the American intellectual property that powers the nation’s economy. The office works to foster and protect the United States’ global competitive advantage, which must discourage intellectual property theft while protecting the constitutional rights of our citizens. The office strives to make sure that the Federal government takes the most appropriate action to realize those goals.

“Danny is an exceptional intellectual property attorney who has been repeatedly recognized by his peers and clients across the country as one of the leaders in his field,” said Henry Walker, Kilpatrick Townsend Chair. “The White House has made a great choice in Danny. The entire firm congratulates him on this outstanding honor.”

“This position plays a critical role in implementing the President’s strategy for protecting some of the most important and powerful assets that help drive the nation’s economy,” said Susan Spaeth, Kilpatrick Townsend Managing Partner. “Having worked with Danny for many years, I have seen firsthand his tremendous leadership skills and he will bring the same intellect, commitment and passion to this position.”

Mr. Marti is the Managing Partner of Kilpatrick Townsend’s Washington, D.C. office – one of the firm’s largest of its 17 offices worldwide. He concentrates his practice on the protection, management, and enforcement of intellectual property assets in the United States and abroad. Mr. Marti advises clients in connection with domestic and international trademark portfolio management, licensing, and other intellectual property-based transactions.

Mr. Marti has represented clients in a wide range of cases involving trademarks, false advertising, unfair competition, copyrights, trade secrets, cybersquatting and computer fraud and abuse matters before various U.S. federal courts, as well as the Trademark Trial and Appeal Board (TTAB) and the World Intellectual Property Organization (WIPO).

Posted on Wednesday, August 27 2014 at 4:10 pm by

NLRB Rules That Employee’s Use of the Facebook “Like” Feature Can Be Protected Activity


On August 22, 2014, the National Labor Relations Board (NLRB) ruled for the first time that an employee who participated in a Facebook discussion of his employer’s income tax withholding practices merely by using the “Like” feature in connection with the discussion was protected by federal law.

In Triple Play Sports Bar & Grille, the owners of a nonunionized restaurant discharged two employees – a waitress and a cook – for their participation in an off-duty, off-site Facebook discussion involving claims that several current and former employees unexpectedly owed additional state income taxes because of alleged accounting errors by their employer. A former employee of the restaurant posted a comment on her Facebook wall stating that the restaurant owners “can’t even do the tax paperwork correctly.” The cook clicked “Like” for this comment. The waitress responded to the comment with a comment of her own, stating that she too owed income taxes and referring to one of the restaurant’s owners with an off-color expletive. Neither the waitress nor the cook participated further in the discussion, although other employees and customers continued with comments, including one characterizing one of the restaurant’s owners as a “shady little man” who probably “pocketed” employees’ money.

The NLRB found the discharges unlawful. In this case, there was no dispute that the initial comment exchange among employees and a former employee about the restaurant owners not being able to “even do the tax paperwork correctly” was concerted activity relating to pay practices under the National Labor Relations Act (“NLRA”). The NLRA gives employees a general right to engage in concerted activity (that is, to act together with other employees) with respect to wages, hours, and other terms and conditions of employment and makes it unlawful for employers to base adverse employment actions on such protected concerted activities. In Triple Play, the NLRB equated merely clicking “Like” during a Facebook discussion to expressing agreement with the particular written comment to which the “Like” designation related and thus granted NLRA protection to the cook. The NLRB also found the waitress’s comment was protected, despite its use of a profane expletive to describe one of the restaurant owners. Significantly, the NLRB found that the waitress’s comment and the cook’s clicking of “Like” on one individual posting in the discussion effectively endorsed the former employee’s original complaint only, and the NLRB held that the discharged waitress and cook therefore could not be held responsible for the other comments posted in the exchange, some of which might not have been shielded by the NLRA. The NLRB further found that the employer’s Internet/Blogging policy, which prohibited employees from “engaging in inappropriate discussions about the company,” could be construed to prohibit the type of protected Facebook posts that led to the unlawful discharges and thus also violated the NLRA.

The NLRB’s decision in Triple Play is noteworthy because it expands the concept of “concerted activity” under the NLRA to include Facebook “Likes” that are inserted in a Facebook discussion of working conditions. It also continues the NLRB’s close scrutiny of and strict approach to social media policies.


Posted on Saturday, August 9 2014 at 8:21 am by

Walking the Last Mile to Connectivity in a Village in India — ग्राम इन्टर्नेट (Village Internet) Project


rajasthan art

(I have been working in a village in India with a team of hard-working, smart volunteers to invent, fund and implement a good demonstration project for other villages in India and beyond, designed to accelerate the use of the internet to improve the lives of women, public health and prosperity.  Below is a brief taste of what we’re doing; let me know if you want more!)

Kakelao is a village in Rajasthan of 4,000, the greatest untapped resource of which is its internet connectivity.  State-of-the-art cell towers loom above the village, and everywhere in Kakelao mobile phone reception proudly displays “five bars.”  Cell phones are ubiquitous, and smart phones common.  Yet the sales and supply networks of merchants remain as they were centuries ago, and to students in a geography class the world stops at the village’s edge or in Jodhpur.  In the government office, a good desktop computer distributed as part of the national “ePanchayat” initiative two years ago sits unused in a locked room.

photo 1 (5)

The vision of the Village Internet – ग्राम इन्टर्नेट — project of the Yale Alumni Service Corps and AFS India is to help the people of Kakelao walk the final mile to reap the benefits of the infrastructure and global opportunities that surround them, through e-commerce and information benefiting businesses, education and health.   The goal of the initiative is to disseminate the benefits of the internet as widely as possible in Kakelao, and our strategy to achieve that vision has three primary components:

1)      A public access component allowing both men and women regular, personally assisted internet access to:

a)     help them sell what they make and improve their supply chains via e-commerce, and offer them information about all aspects of their businesses; and

b)    offer health information, continuing education, banking alternatives, helpful daily information like changes in bus and train schedules, and greater awareness of global issues;

2)      Improved free computer training to children in grades 1-8 in the government primary school; and

3)      Broader accessibility of improved private computer training on a fee basis to those who can afford it.

Other carefully-designed village-based initiatives have provided broad public access to internet benefits throughout India, including for those facing literacy, language and connectivity issues.  The largest such initiative, e-Choupal, reached out to 4 million farmers in over 40,000 villages through 6,500 internet kiosks, providing information on crop pricing, weather and other agricultural conditions.  Like e-Choupal, we propose the use of intermediaries for the public access component, but not just as disseminators of information.  These intermediaries will be enabling direct access to internet resources such as e-commerce sites, online markets for crafts, mobile banking and mobile health programs designed for villagers in India, and health and educational information.  By providing that broad, direct access through guided public access points and education and training, Kakelao can hasten the viral adoption of the internet for all of the potential benefits.

The Government and many NGOs and other companies have been providing infrastructure for decades, including fiber, broadband, cell towers and devices, to help transform India’s 640,000 villages, comprising over 70% of India’s population (which will soon surpass China’s as the largest in the world).  Government-issued computers have all-too-often remained locked away and unused, and large infrastructure investments have often come to naught, particularly among those too poor to afford electricity or their own devices, illiterate, or otherwise isolated.   A strong NGO working locally can clearly help open the doors to opportunity, knowledge and health.

Now, as the Government makes bold and commendable promises to extend broadband to all villages in India, this demonstration project (and I would expect others with which we would eagerly partner) will provide valuable lessons for local integration of the Internet into the densely-woven human networks of communication, power, affinity and divisions in any village. Watching the children of Kakelao jumping onto the Internet at the public primary school was a powerful representation of the inevitability of change; how the village walks the last mile in connecting the human network and the Internet will have an important influence on the nature of that change.

Last mile


Posted on Thursday, July 24 2014 at 8:28 am by

Watershed Event on 21st C. Regulation of Privacy, Technology, Civil Liberties & Cybersecurity


UPDATE: In my humble opinion, this hearing was the watershed we expected. Ranking Member Cummings really appeared at the very end of the hearing to be moved by the testimony, expressed it as a “critical moment,” and praised the hearing, which represented extraordinary movement from the party line at the beginning of the hearing. Politico, Mother Jones and all the rest failed to note that movement at all, focusing only on the most vitriolic moments of the hearing. Perhaps I am naive, but the final moments of the hearing appeared to open the door to bipartisan investigation in the public interest.


Original Post:

One of the most interesting and potentially influential political events on privacy, cybersecurity, civil liberties and technology regulation in the US and beyond — and of course that is saying a lot in the age of Snowden — will take place online, free, now, and you simply cannot miss it. The US House Committee on Oversight and Government Reform is about to hold a hearing entitled:

The Federal Trade Commission and Its Section 5 Authority: Prosecutor,

Judge, and Jury

Yes, the event is political, like any Congressional hearing nowadays, and the partisan thunder has been rolling for days before the storm. Yesterday, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) was so “troubled by the impropriety” of the related investigation by House Oversight Committee Chairman Darrell Issa (R-Calif.), which he considers “interference” in the important FTC proceeding against LabMD, that he determined he needed to take the rare step of himself trying to interfere in the House proceeding. The agenda for today’s hearing shows the weakness of Senator Rockefeller’s claim, however. Not only are the CEO of LabMD and another small businessperson on the agenda, but the legal scholars who, as I said in a previous post, have written the most important law review articles on opposite sides of the issue will each testify and take questions.

The ultimate issue at stake is one of the most important facing us in the 21st Century:

How can regulation keep up with exponential rates of change in technology?

The FTC has taken the position that in order to keep up, it needs to be able to enforce regulatory standards without specific notice of those standards. With help from FTC Commissioner Maureen Ohlhausen and the two scholars who will testify today, here’s how I can best express the issue to you:

Why would an agency trying to raise standards for the security of personal information avoid giving notice of its standards? Federal Trade Commissioner Maureen Ohlhausen recently offered remarks[1] that clarify just how important this strategy is to the FTC. In short, her argument is that given widespread innovation and the rate of change in technology, the information regulators need to gather in order to promulgate regulations is so widely dispersed and ephemeral that notice-and-comment rulemaking is stale by the time it is promulgated and carves regulatory categories unfit for their purposes. Her solution is the FTC’s Section 5 “unfairness” jurisdiction, which gathers information only from the parties and makes judgments on those specific facts, calling it “ex postregulation.” She notes that while the results only bind the parties, others can and should look to the results as evidence of how the FTC would regard similar facts, and that “when the FTC weighs that precedent in future cases, it can then consider any changes in the underlying facts.”

If you are trying to run a business, you might find ex post regulation an elegant solution for the regulator but at least worrisome in that the rules regarding your facts are not known in advance. Those who know the FTC’s settlement agreements – almost always involving 20 years of monitoring – find it more troubling. Perhaps most troubling is the knowledge that the consent orders obtained generally involved no admission of wrongdoing, and represent practical business decisions by enterprises wishing to avoid years of ruinous litigation and damage to their reputations, rather than judgments of courts on the merits.

Commissioner Ohlhausen is well aware of the amount of power ex post regulation gives the FTC, and perhaps for that reason starts her speech with “Principle 1: Regulatory Humility.”[2] Professors Solove and Hartzog made the case, in a very thoughtful and influential article written before her remarks and somewhat inconsistent with them, that the FTC has exercised, if not humility, then at least restraint in the actions it has brought, providing justification for current trend of viewing FTC privacy and information security consent orders under its Section 5 unfairness and deception authorities as development of a “common law.”[3]

The FTC’s actions may not have lived up to the justification that Professors Solove and Hartzog have developed for them, nor to the principle of humility. For example, when an administrative law judge recently ordered the FTC to disclose its “unfairness” information security standards in the LabMD case,[4] the FTC did not claim that the security provisions mentioned in its more than fifty information security cases constitute precedent; it generally confirmed that every judgment is case-specific.[5] By the same token, the FTC does not ask its experts in the cases it brings to review its settlement agreements; rather it asks only for–and then relies on–a case-specific judgment based on the expert’s (mostly technical) security expertise; that is ex post information security regulation in action.[6]

Here’s the link again. Don’t miss it!

[1] The Procrustean Problem with Prescriptive Regulation , Remarks of Maureen K. Ohlhausen, Commissioner, U.S. Federal Trade Commission to the Sixth Annual Telecom Policy Conference of the Free State Foundation, Washington, DC, March 18, 2014. Commission Ohlhausen noted that “The views expressed in these remarks are my own and do not necessarily reflect the views of the Federal Trade Commission or any other Commissioner.”

[2] For a good article on how fair notice principles could be considered by the FTC, see Stegmaier, Gerard M. and Bartnick, Wendell,Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements(May 9, 2013). George Mason Law Review, Vol. 20, No. 3, pp. 673-720, 2013. Available at SSRN:

[3] Solove, Daniel J. and Hartzog, Woodrow,The FTC and the New Common Law of Privacy(August 15, 2013). 114 Columbia Law Review 583 (2014); GWU Legal Studies Research Paper No. 2013-120; GWU Law School Public Law Research Paper No. 2013-120. Available at SSRN: or


[5] Transcript of the Testimony of Daniel Kaufman, May 12, 2014, at

[6] See, e.g., Expert Report of Raquel Hill, Ph.D., included on p. 19 at

Posted on Saturday, July 12 2014 at 2:42 pm by

The Presentation of Self in the Everyday Workplace



How should employers and employees deal with US law’s new recognition that digital life on a phone or cloud is often as intimate as a diary?

Recent big, bold Supreme Court decisions on cellphone privacy have come at about the same time as the best summer business reading is presenting a cure for the dishonesty of the current employer-employee relationship. The confluence of these two unrelated developments may in fact offer some useful opportunities in connection with the lesser dishonesty of being employed while using the Internet.

The apparent new right in the privacy of cell phone data was immediately recognized asbased more on the richness of the personal data than where the data resides, potentially protecting data of comparable richness in all of its clouds and other travels far beyond the cell phone. Already, we can see ripples of these criminal cases in a civil case involving employees going after other employees’ cell phones.

The first big question for employers and employees is: As these ripples move into the workplace and employers realize that their BYOD policies and employee handbooks may not be clear enough regarding the search of personal cloud repositories or other personal information stores, will they continue to design policies, consents and acknowledgements as broadly as the law permits and to some extent requires? Or will they — and in which ways can they, in view of their obligations to monitor discrimination and harassment — think about zones or counterbalancing principles of privacy, because as the Supreme Court recognized the digital lives to which employees can grant access are as personal as the most intimate diary?

That question brought to mind the source of this post’s title, Erving Goffman, because it goes beyond the privacy of data elements to the composition of the employee self in relation to the employer and other employees. Goffman treated face-to-face interaction as theatrical performance, and distinguished a “backstage” in which people could be themselves and prepare for performance. In some ways, what we have done by not (in the US) extending employee privacy rights from the private physical spaces (e.g., lockers) to the employer-sponsored electronic media on which many employees live is to get rid of the backstage, and social media intensifies the self-expression. (Employee self-expression online has long resulted in countless workplace disputes and more recent broad NLRB protection of certain content.)

The big question, restated in Goffman’s terms, is to what extent and how employers will allow employees to have a backstage. Not all of us need a backstage to be creative and productive and authentic, but others are quite clear that they do.  So, as most work becomes more and more temporary and part-time, and employers focus more and more on creating honest, bilateral “alliance” relationships, a concrete question the employer bilingual in Goffman and Hoffman might ask is:

How can I monitor what I need to monitor while still providing enough of a backstage for the ones who need it, enabling the alliances we want?

And the digital workplace privacy policy may even become a document that applicants and employees want to read, because it might speak directly to their ability to have authentic relationships in the workplace.