When a government agency requests the contact information for a company’s employees, whether by subpoena, civil investigation demand or otherwise, the company’s knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. Organizations are similarly obligated to produce documents in connection with lawsuits filed by private parties, however, employers must protect their employees’ personal information from improper disclosure, even when such information is requested during the course of an investigation or litigation.
In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a U.S. Department of Labor administrative law judge offers some tips to employers facing demands for their employees’ confidential personal information.
In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance Program’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the names, addresses, telephone numbers and personal email addresses of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns.
One of the most significant aspects of the ruling was its acknowledgment of real-world concerns regarding data privacy and protection. Judge Berlin noted that individuals’ contact information, in the hands of the OFCCP, may be targeted by hackers or leaked by OFCCP employees. The order pointed out that, in many instances, the federal government has failed to effectively safeguard sensitive information. In 2015, for example, hackers stole personally identifiable information, including in some cases fingerprints and Social Security numbers, for millions of current and former federal employees and applicants for federal employment.
Judge Berlin also recognized that employers have a significant interest in maintaining employees’ trust by protecting their personal information. Even if a company is forced to comply with an agency’s demand, its employees will likely resent the involuntary disclosure of their personal information. Businesses will suffer if current and prospective workers perceive them as unwilling to protect their privacy interests. Judge Berlin addressed these concerns by ordering the OFCCP to take reasonable steps to protect the information it obtains from Google.
The order also held that the OFCCP’s demand for the contact information of over 25,000 employees was overbroad. The OFCCP argued that it was necessary to collect the contact information for a large number of employees in order to interview a selected number of them without revealing their identities to Google. While obtaining the contact information for a large number of employees is one way to reduce the possibility that interviewees can be identified and retaliated against, Judge Berlin noted that the OFCCP is likely to interview no more than 100 to 300 Google employees in connection with its investigation. Accordingly, collecting even a fraction of the requested data would still enable the OFCCP to hide the identities of selected interviewees. Ultimately, the ruling permitted the OFCCP to choose 5,000 specific employees whose contact information it will receive.
Government agencies are not the only targets of hackers seeking individuals’ personal information. Last month, credit reporting agency Equifax announced that a vulnerability on the company’s website led to the theft of 143 million customers’ personal information, including names, Social Security numbers, birth dates, addresses and driver’s license numbers. The Equifax cyberattack is one of the largest and most disruptive data breaches reported in recent years, but it is not unique. In 2014, online retailer eBay revealed that hackers accessed 145 million users’ records, which included account passwords, email addresses, birth dates and mailing addresses. Last year, Yahoo! disclosed that cyberattacks dating back to 2013 and 2014 compromised data associated with over 1.5 billion user accounts. Law firms are also tempting targets for hackers, as they sometimes possess their clients’ most sensitive data.
In April 2016, the hack of Panamanian law firm Mossack Fonseca led to the release of the “Panama papers.” The Panama papers revealed that a significant number of high-profile individuals, including current and former heads of state, used the firm’s services to exploit offshore tax havens. Large U.S.-based law firms such as Cravath Swaine & Moore LLP and Weil Gotschal & Manges LLP have been victims of recent cyberattacks as well.
Government investigations and lawsuits can threaten an organization’s data privacy, even if its internal data security measures are solid. Employers should be wary of turning over their employees’ personal information to the government, private litigants or opposing counsel without ensuring that the information will be adequately protected. Employment litigation, in particular, often involves workers’ most sensitive personnel information, including medical records and salary information. Even employees’ emails can contain private information, including unflattering commentary about co-workers or correspondence between employees and their family members.
Because an organization is only as strong as its workforce, employers are increasingly recognizing the importance of maintaining employees’ trust and goodwill. Accordingly, employers engaged in litigation should attempt to negotiate protective orders requiring the parties to safeguard information shared during discovery. It is increasingly common, and a good practice, for protective orders to specify the level of security law firms and their vendors use to secure data. While detailed protective orders are more common in cases involving proprietary business information, employers should consider treating their employees’ personal information like trade secrets or other intellectual property.
In employment litigation, the burdens of document production often disproportionately impact one party, and attorneys may be unwilling (or unable) to agree to protect an opposing litigant’s information. If an opposing party will not agree to take adequate data security measures, Judge Berlin’s July order demonstrates that employers can, and should, request judicial intervention before producing their employees’ confidential information.
By resisting the OFCCP’s overbroad requests, Google managed to significantly pare down the scope of the agency’s demand and forced it to take additional steps to protect Google’s employees’ information. Like Google, all employers should consider creative solutions to defend against the unnecessary disclosure of sensitive employee data and to maintain their employees’ trust.