There is a general presumption that workplace privacy does not exist under any circumstances. However, that is not always the case. The state Constitution grants privacy rights and a private right of action to file a lawsuit against employers who violate those rights. It states in relevant part that: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, pursuing and obtaining safety, happiness, and privacy.”

The courts have decided that the main issue is whether the employee has a “reasonable expectation of privacy.” So, for example, employers are allowed to monitor internet usage or business email communications. Nevertheless, employers are not permitted to conduct surveillance in bathrooms or locker rooms. An employer may be held liable for disclosing the employee’s termination reasons, arrests, convictions, credit reports, misconduct reports, medical information, or confidential communications.

Employers are usually interested in social media activities of their actual or potential employees. They may review their social media accounts to make hiring decisions. However, California Labor Code § 980 prohibits employers from requesting disclosure of usernames or passwords of social media accounts. It also prohibits employers to require the employees to access personal social media accounts in their presence. California Labor Code § 980 states in relevant part that an employer shall not require or request an employee or applicant for employment to do any of the following:

Workplace privacy rights and legal restrictions on workplace monitoring are important issues. Many employers monitor employee activities to increase productivity and avoid workplace violations. They may use special software to monitor the network activities which can include email, telephone, and internet activities. However, they should also consider the employee’s reasonable expectation of privacy.

An employer, that has a legitimate interest in monitoring its employees, should be allowed to monitor business-related communications without problems. A legitimate interest can be established when there is proof that surveillance was conducted to promote efficiency and productivity. Employers usually inform their employees that they are being monitored to avoid violating their privacy rights. In other words, once the employee knows that he or she is being monitored, then he or she does not have a reasonable expectation of privacy. However, any kind of workplace monitoring should be narrowly tailored in time, place, and manner.

The Electronic Communications Privacy Act (codified under 18 U.S.C. 2511, et seq.) is a federal statute that is designed to control the workplace monitoring of electronic communications. It generally prohibits employers from intercepting electronic communications of their employees. Nevertheless, there are the following exceptions: (1) business purpose exception; and (2) consent exception. The “business purpose exception” applies when the employer is able to show surveillance was being conducted for a legitimate business purpose. The “consent exception” applies when the employer is able to show surveillance was being conducted with the employee’s knowledge and consent.

Electronic data exists on multitude devices for everyone. In other words, electronic information such as letters, emails, pictures, or videos are being stored on your electronic devices on a regular basis. Now, we should be cognizant of this process and take steps to protect the electronic information and promote privacy rights.

The Fourth Amendment was enacted to promote an individual’s right to privacy and states as follows:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Cybersecurity is the most important measure for protecting your personal and confidential information. There are cybersecurity incidents taking place on a daily basis. In general, most targets are companies and individuals who yield confidential information such as financial documents. This way, the hackers can use the information to promote their illegal acts or violations. In fact, it is known they use malware and spam to infiltrate electronic devices and extract confidential information.

Spam has been prolifically used by hackers to target victims. The hackers use this method to send unsolicited emails to victims. In other words, they ask them to click on a link or download a file which unbeknownst to the victim contains malware. Then, once the victim has downloaded the malware, his or her computer will be infected. The virus will extract personal information and send it back to the hacker. The virus may also use a “keylogger” to track the victim’s activities. It can track and record the victim’s financial transactions and find a way to log into his/her bank accounts.

Hackers can find their victims by using several methods. For example, phishing scams have been used to lure their victims into traps. They use instant messages and text messages to contact their victims. The hackers use these methods to take the victim’s usernames and passwords without authorization. They will try to gain access to the victim’s financial accounts and extract funds without authorization. As a result, the hackers will ruin the victim’s credit by opening up credit card or mortgage accounts without authorization. They can obtain cash advances if they gain access to the financial information. They will also utilize the victim’s social security number to engage in fraudulent activities.

Data breach incidents have caused a significant amount of complications for business owners and their customers. The statistics show that at least 50% or more of companies have been targeted by hackers. So, the lawmakers have taken steps to promulgate laws to protect the victims and penalize the bad actors.

Data Breach Notification Laws

Every state has some form of data breach notification legislation that requires business owners to give notice to consumers about a data breach that has resulted in the unauthorized acquisition of unencrypted personal information. These laws usually require the business owners to give notice to the consumers in the most efficient manner. They may require the business owners to notify the Attorney General’s office if the business is required to notify a significant number of residents in that state. They also grant a “private right of action” (i.e., the right to file a lawsuit) to the victim in order to seek legal and equitable damages.

Cybersecurity is paramount to secure online communications whether they are for sending or receiving sensitive or confidential information – e.g., trade secrets, intellectual properties, financial information. Many people assume they are protected on the internet when transferring or receiving files over computer networks. They may attach tax-related documents to their message and press the send button without hesitation. What most people do not realize is that information may be intercepted without authorization. Now, most laws require “reasonable security measures” to ensure the privacy of confidential records.

What are the state laws?

There is no single state law that applies to all cybersecurity-related issues. So, every state has promulgated several statutes in order to address and promote cybersecurity. These state laws are usually similar in their nature and scope. For example, California recently passed the California Consumer Privacy Act (“CCPA”) codified under Civil Code Sections 1798.100, et seq., to enhance consumer privacy rights. It grants consumers the right to know what kind of personal information is being collected about them, whether the personal information is sold or disclosed, to refuse the sale of their personal information, to gain access to their personal information, to request deletion of their personal information, and to not be discriminated against for exercising their privacy rights.

Internet fraud and scams have exponentially increased in recent years. There are several reasons for this development which include the expansion of technology and usage of electronic devices in our daily lives.

The fraudsters find different ways to retrieve sensitive or confidential information in order to commit their crimes. For example, they may extract the information by dumpster diving next to corporations and financial institutions. There have been cases where sensitive information of a corporation’s employees was extracted without authorization. They may also engage in “shoulder surfing” which is another way to surreptitiously extract confidential information from the unsuspecting victim. These activities usually take place close to a bank’s ATM in order to steal the victim’s debit card PIN. They can also use what is referred to as a “skimming device” as a way to obtain sensitive information from debit or credit cards. These devices can be placed on ATMs to procure the confidential information without suspicion. The fraudsters can also obtain sensitive or confidential information by breaking and entering into the victim’s property. This way, they can look into the victim’s house or vehicle for valuable items or confidential documents.

There is a long list of internet fraud methods such as auction scams, rental scams, dating scams, lottery scams, and charity scams. The criminals are finding new ways to trick their victims into relinquishing valuable information – e.g., address, telephone, date-of-birth, social security number, debit or credit card number. Social engineering is another method to obtain information which is usually done by gaining the victim’s trust. It has become one of the main methods for extracting valuable information from unsuspecting victims. The internet allows culprits to anonymously communicate with their victims which is the major issue in lawsuits simply because it takes time and effort to launch an investigation. Our law firm is able to unmask the anonymous culprit’s identity by using the proper tools and techniques. We have access to a network of experts and investigators who can help our clients. We have also established relationships with local, state, and federal law enforcement agencies.

The parties are generally entitled to discovery of relevant and admissible evidence during litigation. This process includes the discovery of electronically-stored information (“ESI”) which can be stored at internal and external locations such as the local area network and cloud.  It has become more prevalent for companies to transfer their electronic files to the cloud to reduce costs. It is now more practical to upload and transfer data to a third-party’s servers. However, there are certain risks associated with this process. First, you will be relinquishing control over the electronic information. Second, you will not have control over the third-party’s information security protocols. In other words, even if the electronic information is originally encrypted, it may lose its encryption status if uploaded or transferred to the third-party’s servers.

It is important for attorneys to have a general understanding of the client’s network infrastructure. So, it is always recommended to interview the client’s information technology staff. This way, legal counsel can be better prepared to ask and answer discovery-related questions. Moreover, the relevant discovery rules are outlined in the Federal Rules of Civil Procedure 26, 33, 34, 37, and 45, and Federal Rule of Evidence 502.

Court Mandated Guidelines

Sextortion is a type of online blackmail. It’s one kind of sexual exploitation that takes place on the internet when an anonymous individual threatens to distribute the victim’s explicit videos or pictures if he or she does not comply with the demands which can include transferring funds through digital currencies. The culprit may use a webcam to extract private information and make threats to harm the victim if the victim fails or refuses to comply with the demands.

The culprit usually follows his victims on websites and chatrooms to gain their trust. The culprit may send a message to the victim that has malware in an effort to hack into the victim’s electronic devices. The victim can make the mistake of clicking on the link which releases the virus on to the computer. The infected computer is now compromised and can be used for nefarious purposes.

The courts have been dealing with sextortion since it is a new problem in the technology age. The law prohibits the non-consensual dissemination of intimate pictures or videos but the litigants or their lawyers have been using laws related to harassment, extortion, bribery, or child pornography. For example, 18 U.S.C. § 2251 prohibits sexual exploitation of children. The following federal statutes could be relevant to these activities: 18 U.S.C. § 2252, 18 U.S.C. § 2422, and 18 U.S.C. § 875.

We’ve discussed how the states have passed privacy laws to protect their residents. We have also referenced the state and federal rules or regulations that are designed to promote transparency, security, accuracy, proper data collection, and accountability.

The Federal Constitution has not expressly mentioned the right to privacy. However, under Article I Section 1, the California Constitution has mentioned the “inalienable right to privacy” that is applicable to the government and private individuals. The courts have confirmed this fundamental right. In White v. Davis (1975) 13 Cal.3d 757, 774, the Supreme Court analyzed the facts and confirmed the right of privacy. In Hill v. National Collegiate Athletic Association (1994) 7 Cal.4th 1, 39, the Supreme Court outlined the following framework to decide whether there is a constitutional violation: (1) there must be a legally protected privacy interest; (2) there must a reasonable expectation of privacy; and (3) there must be a serious invasion of privacy interest.

There is also a common law right of privacy. First, there is intrusion into plaintiff’s seclusion. Second, false light as a result of false and negative publicity. Third, public disclosure of private facts. Fourth, there is the commercial appropriation of plaintiff’s name or likeness without consent. The courts have also recognized negligence as a cause of action when the defendant fails or refuses to manage data in a reasonable manner. In other words, the defendant can be sued for failing to comply with the industry data management standards if it causes damages to the plaintiff.