Electronic Data Challenges in Employment Law
Vol. 5
January 2005
Page
Ms. Allor is a partner in the Labor and Employment Law Department at Morrison and Foerster, LLP, San Francisco office. Ms. Allor has extensive experience in the area of employment law, and her practice principally involves defending companies in employment discrimination, wrongful termination and wage and hour actions. Ms. Allor also counsels and conducts training seminars for companies on a wide range of issues such as personnel policies, family and medical leave, wrongful discharge and sexual harassment. Ms. Allor received her B.A. degree with distinction and departmental honors from Stanford University, and her J.D. degree from University of California, Berkeley, School of Law. Ms. Allor is currently a member of the Equal Opportunity Committee and the Litigation and Labor and Employment Law Sections of the American Bar Association, the State Bar of California, and the Bar Association of San Francisco.
Q: What do you see as the current challenges in the area of labor and employment litigation post Zubulake[1] in regards to electronic data preservation and production?
A: From the employer’s perspective, companies need to keep in mind that very frequently in employment litigation cases, they will be faced with a broad obligation to preserve and produce electronic data. Employers will need to work with counsel as well as their IT departments to see that appropriate steps are taken early on in the litigation process to preserve the appropriate electronic data intact. Once the appropriate data is retained and preserved, electronic data production becomes a less daunting task. With respect to the production of the data, plaintiffs often serve very broad requests for electronic data. If a defendant employer has already appropriately preserved relevant data, it may be a less burdensome task to search the data and the employer can focus on reaching an agreement with plaintiff’s counsel on an appropriate narrowing of the relevant search criteria.
From the perspective of employment lawyers involved in cases where electronic discovery is necessary, two of the main issues they face are the content of electronic data and the management of discovery of this data. For employment lawyers, it is still a relatively recent phenomenon to be thinking about electronic data immediately at the start of a case. But it is a fact that now, in almost every employment case, clients will have electronic data that’s relevant to the case. For instance, in a wrongful termination case, there might be emails discussing the motive behind the termination; in an employment discrimination case, there might be either emails or other records in electronic form that will provide insight into the decision maker’s thought process – things that could be either helpful or potentially harmful. These are some of the reasons that the issue of electronic data has to be considered at the very beginning of a case in order to take the appropriate steps to preserve it. It will no longer be considered sufficient for lawyers to just send their clients generalized “preserve data” instructions. Employment lawyers will have to work with their clients, as described by courts in many of the cases that have ruled on electronic discovery issues, to preserve relevant data. General data retention instructions, for example, should also be followed up with discussions with the company’s IT department, and outside consultants, if necessary, to ensure that the relevant information will be available when needed.
On the content side, one of the challenges is to educate companies and their employees to be aware of the fact that nothing they communicate electronically will be irretrievably deleted and therefore safe from production during the discovery phase of litigation. What that means is that employees have to be very careful about their electronic communication to the extent that they would not include in electronic form things that can be taken the wrong way. An electronic communication should be viewed as no different from a written memo that easily could be distributed to the whole company. This is an issue that needs to be addressed through employee training where the appropriate use of email and other electronic records is emphasized.
Q: How should employers balance sound electronic data retention practices with their inherent costs?
A: This balance can be achieved primarily through evaluation and improvement of retention policies. Companies should start by evaluating their retention and destruction policies in general and then in particular those policies that pertain to electronic data. There is a tendency to want to retain everything once it is created, yet this is an approach that can significantly increase the cost of data production and may not legally be necessary. As long as there are no pending claims, and the legal requirements are respected, regular processes can be set up where electronic data can be destroyed or over-written. The challenge for employers is to balance the need to retain information required by statute, or which could be useful in some way, against the greater burden that retention will create for the production of data. Again, the main point to keep in mind is that both retention and destruction of electronic data should be done in accord with the appropriate statutes and regulations.
Q: What types of laws and regulations would help employers reach this balance more effectively?
A: There are many sources of law regarding requirements for data or record retention. These requirements vary widely depending upon the type of record being regulated. In my view, it would be difficult to have a specific body of law that would bring complete uniformity among the current myriad regulations pertaining to data retention. The answer does not lie so much with drafting appropriate legislation as much as it does with companies themselves drafting record retention policies that require the retention of records for the periods required by statute, but not longer.
Q: A new statute in the California Civil Code (§ 1798.82) requires businesses to notify California residents whose personal information might be affected by a security breach in a computerized record containing personal information. How would this new regulation affect businesses whose operations involve the use of computerized records of California residents’ personal information?
A: Breaches in data security affect companies at multiple levels. Aside from the potentially expensive and burdensome notification process that this new California statute mandates, a data security breach can impact negatively these businesses’ reputations and the trust involved in their relationships with outside vendors, customers, and even their own employees. At a minimum, one of the things that this legislation should spur companies to do is to evaluate their need to retain individuals’ personal information in unencrypted format. In order to minimize the risk of a security breach, companies should consider whether they even need to continue to use “personal information” within the meaning of the statute or whether they can substitute an alternative identifier. If they cannot make that type of substitution, the next consideration would be to evaluate the ability to convert the personal information to an encrypted format. If that step isn’t viable, then companies need to set in place, in conjunction with their IT departments, a data security policy that limits access to personal information and provides training to employees about what to do in the event of a breach.
Q: Do you believe that telecommuting increases the risk for breaches in data security, and if so, how would telecommuting affect both employers and employees?
A: For companies whose employees have access to electronic data, telecommuting does not present a significantly different degree of risk of a data security breach. Whether an employee works from home or from a company’s office, the general risk of breach in data security is still there. Focusing specifically on telecommuting, however, highlights how little employers often know about the exact day-to-day activities of their employees. But the wide access of all employees to computer systems means that the risk of either an intentional or inadvertent breach in security is present both in the office and the home environment. There is a recent statistic showing that in up to 70% of the cases of identity theft in the United States, the pertinent confidential information was supplied to the identity thieves by employees of companies who had access to personal identifiable information. I would be surprised to find that the employees providing the confidential information were all telecommuting! Again, it is the ready access to highly confidential information that creates the risk to the employer more than where their employees are physically located when they are performing their work.
Q: In employee termination situations, what are some of the preventive measures that employers can take to ensure that the termination will not give rise to a retaliatory breach in data security?
A: As a matter of practice, companies could include as part of their policies and procedures the use of confidentiality provisions and termination certificates as a way to remind their employees that even after their employment termination, they still have an obligation to keep certain types of information confidential. Another group of solutions entails taking careful steps to secure the company’s electronic data well in advance of an employee termination; this is something that the employer would do by working closely with the IT department such that once an employee is terminated, that employee’s access to secure and confidential data would end right away. For instance, that employee’s access to the company’s network would be cut off right away, and his or her computer and PDA would be secured in a timely manner as well. If the employee has a need to access personal documents or data on his or her computer before leaving the workplace, employers should ensure the access occurs in a supervised way so that the employee would not be able to delete or download files containing secure data.
Q: What type of effective employee training practices should there be with respect to data security?
A: The most important aspect of an effective employee training program regarding data security is that it would be hands-on – that is, that it not take place simply by issuing a memo or asking employees to access a training module on a company website. It’s also important that the training emphasize simple, everyday matters. Often the focus of employee training is only on the electronic data itself and not on other angles of it, such as the handling of printouts of secure electronic data which should be treated with the same level of confidentiality – or even more – as data in electronic format. Another point that should be emphasized in these training sessions is the handling of PDAs (including instituting password protection) which often contain sensitive information and which are easy to leave lying around, unattended. Training sessions should not only include advice on day-to-day practices that would protect secure electronic data, but also measures that employees should take in the event of a breach in data security. Also, the IT employees who would be responding to these situations of breaches in data security should be included in the training sessions and be well-versed in the effective measures needed to be taken to minimize or stop the breach as quickly as possible. It would also be helpful to have a training follow-up mechanism in place that would ensure that sound data security practices are actually followed by employees.
Q: What are some of the steps that employers could take to prevent both intentional and unintentional disclosure of confidential and secure data by their employees?
A: An effective first step for companies is to adopt a comprehensive written data security policy. In addition, at a very minimum, there should be appropriate firewalls in place, which most companies have already instituted, along with password protection measures and encryption of confidential data. As part of this comprehensive data security system, companies should adopt a data classification system where electronic data is categorized into different groups according to various levels of required confidentiality. Access controls would be correlated with the different levels of confidentiality such that employees would be given the appropriate access only to the data that they need in their routine employment duties. A data classification system would help companies meet confidentiality requirements while at the same time maintain a normal business operational flow. These data confidentiality policies should extend also to vendors or any other outside entities that would have access to a company’s secure data.
[1] Zubulake v. UBS Warburg LLC., No. 02 Civ. 1243 (SAS), 2004 WL 1620866 (S.D.N.Y., July 20, 2004)
Ms. Allor is a partner in the Labor and Employment Law Department at Morrison and Foerster, LLP, San Francisco office. Ms. Allor has extensive experience in the area of employment law, and her practice principally involves defending companies in employment discrimination, wrongful termination and wage and hour actions. Ms. Allor also counsels and conducts training seminars for companies on a wide range of issues such as personnel policies, family and medical leave, wrongful discharge and sexual harassment. Ms. Allor received her B.A. degree with distinction and departmental honors from Stanford University, and her J.D. degree from University of California, Berkeley, School of Law. Ms. Allor is currently a member of the Equal Opportunity Committee and the Litigation and Labor and Employment Law Sections of the American Bar Association, the State Bar of California, and the Bar Association of San Francisco.
Q: What do you see as the current challenges in the area of labor and employment litigation post Zubulake[1] in regards to electronic data preservation and production?
A: From the employer’s perspective, companies need to keep in mind that very frequently in employment litigation cases, they will be faced with a broad obligation to preserve and produce electronic data. Employers will need to work with counsel as well as their IT departments to see that appropriate steps are taken early on in the litigation process to preserve the appropriate electronic data intact. Once the appropriate data is retained and preserved, electronic data production becomes a less daunting task. With respect to the production of the data, plaintiffs often serve very broad requests for electronic data. If a defendant employer has already appropriately preserved relevant data, it may be a less burdensome task to search the data and the employer can focus on reaching an agreement with plaintiff’s counsel on an appropriate narrowing of the relevant search criteria.
From the perspective of employment lawyers involved in cases where electronic discovery is necessary, two of the main issues they face are the content of electronic data and the management of discovery of this data. For employment lawyers, it is still a relatively recent phenomenon to be thinking about electronic data immediately at the start of a case. But it is a fact that now, in almost every employment case, clients will have electronic data that’s relevant to the case. For instance, in a wrongful termination case, there might be emails discussing the motive behind the termination; in an employment discrimination case, there might be either emails or other records in electronic form that will provide insight into the decision maker’s thought process – things that could be either helpful or potentially harmful. These are some of the reasons that the issue of electronic data has to be considered at the very beginning of a case in order to take the appropriate steps to preserve it. It will no longer be considered sufficient for lawyers to just send their clients generalized “preserve data” instructions. Employment lawyers will have to work with their clients, as described by courts in many of the cases that have ruled on electronic discovery issues, to preserve relevant data. General data retention instructions, for example, should also be followed up with discussions with the company’s IT department, and outside consultants, if necessary, to ensure that the relevant information will be available when needed.
On the content side, one of the challenges is to educate companies and their employees to be aware of the fact that nothing they communicate electronically will be irretrievably deleted and therefore safe from production during the discovery phase of litigation. What that means is that employees have to be very careful about their electronic communication to the extent that they would not include in electronic form things that can be taken the wrong way. An electronic communication should be viewed as no different from a written memo that easily could be distributed to the whole company. This is an issue that needs to be addressed through employee training where the appropriate use of email and other electronic records is emphasized.
Q: How should employers balance sound electronic data retention practices with their inherent costs?
A: This balance can be achieved primarily through evaluation and improvement of retention policies. Companies should start by evaluating their retention and destruction policies in general and then in particular those policies that pertain to electronic data. There is a tendency to want to retain everything once it is created, yet this is an approach that can significantly increase the cost of data production and may not legally be necessary. As long as there are no pending claims, and the legal requirements are respected, regular processes can be set up where electronic data can be destroyed or over-written. The challenge for employers is to balance the need to retain information required by statute, or which could be useful in some way, against the greater burden that retention will create for the production of data. Again, the main point to keep in mind is that both retention and destruction of electronic data should be done in accord with the appropriate statutes and regulations.
Q: What types of laws and regulations would help employers reach this balance more effectively?
A: There are many sources of law regarding requirements for data or record retention. These requirements vary widely depending upon the type of record being regulated. In my view, it would be difficult to have a specific body of law that would bring complete uniformity among the current myriad regulations pertaining to data retention. The answer does not lie so much with drafting appropriate legislation as much as it does with companies themselves drafting record retention policies that require the retention of records for the periods required by statute, but not longer.
Q: A new statute in the California Civil Code (§ 1798.82) requires businesses to notify California residents whose personal information might be affected by a security breach in a computerized record containing personal information. How would this new regulation affect businesses whose operations involve the use of computerized records of California residents’ personal information?
A: Breaches in data security affect companies at multiple levels. Aside from the potentially expensive and burdensome notification process that this new California statute mandates, a data security breach can impact negatively these businesses’ reputations and the trust involved in their relationships with outside vendors, customers, and even their own employees. At a minimum, one of the things that this legislation should spur companies to do is to evaluate their need to retain individuals’ personal information in unencrypted format. In order to minimize the risk of a security breach, companies should consider whether they even need to continue to use “personal information” within the meaning of the statute or whether they can substitute an alternative identifier. If they cannot make that type of substitution, the next consideration would be to evaluate the ability to convert the personal information to an encrypted format. If that step isn’t viable, then companies need to set in place, in conjunction with their IT departments, a data security policy that limits access to personal information and provides training to employees about what to do in the event of a breach.
Q: Do you believe that telecommuting increases the risk for breaches in data security, and if so, how would telecommuting affect both employers and employees?
A: For companies whose employees have access to electronic data, telecommuting does not present a significantly different degree of risk of a data security breach. Whether an employee works from home or from a company’s office, the general risk of breach in data security is still there. Focusing specifically on telecommuting, however, highlights how little employers often know about the exact day-to-day activities of their employees. But the wide access of all employees to computer systems means that the risk of either an intentional or inadvertent breach in security is present both in the office and the home environment. There is a recent statistic showing that in up to 70% of the cases of identity theft in the United States, the pertinent confidential information was supplied to the identity thieves by employees of companies who had access to personal identifiable information. I would be surprised to find that the employees providing the confidential information were all telecommuting! Again, it is the ready access to highly confidential information that creates the risk to the employer more than where their employees are physically located when they are performing their work.
Q: In employee termination situations, what are some of the preventive measures that employers can take to ensure that the termination will not give rise to a retaliatory breach in data security?
A: As a matter of practice, companies could include as part of their policies and procedures the use of confidentiality provisions and termination certificates as a way to remind their employees that even after their employment termination, they still have an obligation to keep certain types of information confidential. Another group of solutions entails taking careful steps to secure the company’s electronic data well in advance of an employee termination; this is something that the employer would do by working closely with the IT department such that once an employee is terminated, that employee’s access to secure and confidential data would end right away. For instance, that employee’s access to the company’s network would be cut off right away, and his or her computer and PDA would be secured in a timely manner as well. If the employee has a need to access personal documents or data on his or her computer before leaving the workplace, employers should ensure the access occurs in a supervised way so that the employee would not be able to delete or download files containing secure data.
Q: What type of effective employee training practices should there be with respect to data security?
A: The most important aspect of an effective employee training program regarding data security is that it would be hands-on – that is, that it not take place simply by issuing a memo or asking employees to access a training module on a company website. It’s also important that the training emphasize simple, everyday matters. Often the focus of employee training is only on the electronic data itself and not on other angles of it, such as the handling of printouts of secure electronic data which should be treated with the same level of confidentiality – or even more – as data in electronic format. Another point that should be emphasized in these training sessions is the handling of PDAs (including instituting password protection) which often contain sensitive information and which are easy to leave lying around, unattended. Training sessions should not only include advice on day-to-day practices that would protect secure electronic data, but also measures that employees should take in the event of a breach in data security. Also, the IT employees who would be responding to these situations of breaches in data security should be included in the training sessions and be well-versed in the effective measures needed to be taken to minimize or stop the breach as quickly as possible. It would also be helpful to have a training follow-up mechanism in place that would ensure that sound data security practices are actually followed by employees.
Q: What are some of the steps that employers could take to prevent both intentional and unintentional disclosure of confidential and secure data by their employees?
A: An effective first step for companies is to adopt a comprehensive written data security policy. In addition, at a very minimum, there should be appropriate firewalls in place, which most companies have already instituted, along with password protection measures and encryption of confidential data. As part of this comprehensive data security system, companies should adopt a data classification system where electronic data is categorized into different groups according to various levels of required confidentiality. Access controls would be correlated with the different levels of confidentiality such that employees would be given the appropriate access only to the data that they need in their routine employment duties. A data classification system would help companies meet confidentiality requirements while at the same time maintain a normal business operational flow. These data confidentiality policies should extend also to vendors or any other outside entities that would have access to a company’s secure data.
[1] Zubulake v. UBS Warburg LLC., No. 02 Civ. 1243 (SAS), 2004 WL 1620866 (S.D.N.Y., July 20, 2004)