labor and employment law

- August 2005 -

SPYWARE and ADWARE:

Is Your Company Protected?


 

Spyware is becoming an increasingly prevalent tool that is used by internet marketing companies and others to gather information about computer users’ activities on the Internet. It is widely reported that some spyware is also being used to obtain personal information about visitors to the Internet in order to facilitate identity theft or worse.

What is it and how did I get it?

In its most basic sense, spyware can be defined as “any software program that aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party.” This definition was proposed by an industry trade group and probably enjoys general consensus in the industry. While there are many ways these software programs can be delivered, they usually end up on a user’s computer by being surreptitiously downloaded in the background while the user is visiting a participating Web site. Once the code is inserted into the appropriate places in the user’s browser, it can collect information such as passwords, credit card numbers, and social security numbers, or it can monitor and report behavioral information such as the user’s favorite Web sites or Internet purchasing habits.

Adware - Spyware’s nicer cousin

Spyware is often grouped together with adware, although there are some significant differences between the two. While the main purpose of spyware is to obtain information about a user, the main purpose of adware is to advertise. Usually, this advertisement is accomplished through pop-up ads, but recently, adware manufacturers have gotten more clever and have figured out ways to, for example, cause the user’s browser to display search results determined by the advertisers instead of the search site. While some adware programs may use tactics that are similar to spyware, they claim to do so with the knowledge and consent of the user — although this claim is often disputed by the user who is sick of pop-up ads. Typically, adware finds its way onto the user’s computer by being “bundled” with other applications that the user actually wants. One of the main issues with adware is that the user often does not know he is downloading the adware code along with the desired application.

Many adware companies currently argue that their software is only downloaded with the consent of the user. What they do not tell you is that consent is often given by way of a long, complex and burdensome notice agreement. The typical user instead of reading the entire 40 or 50 page pop-up consent regarding what is being downloaded, will simply click “OK” in order to download the program she wants. What users miss by not reading that long notice is that bundled along with the software the user wanted, there is a spyware or adware program.

What is the government doing about it?

Since spyware is universally seen as a threat to Internet users, several states have taken steps to attempt to outlaw it. California, Washington and New York have been the most active in the field of spyware prevention, with California actually having its law on the books. All other states discussed here have legislation proposed and in various stages of the legislative process.

All three states would or do prohibit the deceptive use of computer software to:

  • Modify another person’s Internet settings,
     

  • Collect personally identifiable information from a person’s computer,
     

  • Prevent another user’s ability to block or remove spyware or adware by making the software automatically reinstall,
     

  • Intentionally misrepresent to a user that software will be disabled or removed by a certain action when it will not, and
     

  • Intentionally remove, block, disable or render inoperative another user’s security, anti-spyware or antivirus software.

Also to be prohibited by all three states are actions such as:

  • Sending “spam” or “junk” e-mail from another person’s computer without their authorization,
     

  • Causing another user to incur financial charges for a service not authorized by the user, and
     

  • Unauthorized opening of multiple advertisements on another user’s computer which the user can’t close without closing the Internet browser or turning off their computer.

While California and Washington provide for civil penalties for spyware violations, New York’s new bill would make spyware violations a criminal act. The first violation would be a Class “A” misdemeanor, punishable by up to a year in prison and a fine of up to $1,000. A second violation within a five-year span would be a Class “E” felony, punishable by up to four years in prison and a fine of up to $5,000. Alabama, Arizona, Illinois, Kansas, Maryland, Nebraska and Virginia have all submitted legislation that is substantially similar to the California law and the New York and Washington bills.

Proposed Federal legislation


On January 4, 2005, a bill was introduced into the U.S. House of Representatives by California Representative Mary Bono (R), called the “Securely Protect Yourself Against Cyber Trespass Act,” or “SPY-ACT.” The stated purpose of this bill is to protect users of the Internet from unknowing transmission of their personally identifiable information through the use of spyware programs. A virtually identical bill was introduced by Rep. Bono in 2004, and it passed through the House by an overwhelming vote of 399 to 1. That bill, however, never came up for vote in the Senate and had to be reintroduced in 2005.

Much like the state laws and legislation discussed here, the SPY-ACT would prohibit specific types of deceptive conduct in relation to a third-party’s computer. For instance, Section 2 of the SPY-ACT provides 18 specific “deceptive” practices which are prohibited by the Act. These practices include “phishing” (using phony e-mails from credit card companies or stores to get a user to enter personal information), keystroke logging, homepage hijacking and ads that can’t be closed except by shutting down a computer.

Section 3 of the SPY-ACT sets notice and consent requirements for programs that collect personal information or track online activities. One of the weakest points of the SPY-ACT, according to software experts, is that Section 3 allows for a software developer to give a user “notice” that either spyware or adware is going to be downloaded onto their computer, and for the user to give “consent” to such downloading. According to Section 3, there is no violation of the Act if notice is given in the following manner, and the user consents:

  • Notice must be “clearly distinguished” from other text on the screen,
     

  • Notice must include this text: “This program will collect and transmit information about you” or “This program will collect information about the Web pages you access and will use that information to display advertising on your computer,” or substantially similar language,
     

  • Notice must remain on the screen until the user accepts or denies consent, and
     

  • Notice must provide the option of giving additional information about the program which is “clear” about the information collected and the purpose.

The provision that the notice may contain “substantially similar” language has left the door open to companies that currently use long, confusing notices as discussed earlier. Such companies argue that they are already in compliance with the federal legislation by providing a consent notice, even though the notice is practically useless because the typical user won’t read it.

Penalties and Enforcement

The good news is that the SPY-ACT has some teeth, in the form of hefty civil penalties of up to $3 million per violation. The bad news is that the Act gives enforcement powers only to the Federal Trade Commission (“FTC”). The FTC has been notoriously slow to enforce software protection laws, and although more severe spyware acts could be actionable under the current FTC rules on deceptive trade practices, the FTC has prosecuted only one such case to date. Perhaps even worse, the SPY-ACT, if passed, will specifically preempt any and all state laws on the subject. This would effectively take enforcement power out of the hands of individuals who have the most to lose.

What should your business do now?

The biggest thing right now is for businesses to realize that their computers and information systems are at risk from threats such as spyware and adware, which can transmit confidential information to third parties without their knowledge. You should be on the lookout for any such violations, although for the time being only California has enacted laws against such activity. All businesses should have a policy for all employees prohibiting downloading software from the Internet without it first being checked out by their information technology department. Without such a safeguard, no software should be downloaded from the Internet.

Also, companies should keep an eye on the federal legislation that is working its way through the House. Based on the passage of practically identical legislation last year, the SPY-ACT is almost guaranteed to pass the House. The bill must then pass through the Senate, and be signed by the President before it will become law.

Regardless of the Federal legislation, if you discover a spyware problem with your computer system, please contact your Tucker Arensberg lawyer because spyware may be actionable under current deceptive trade practice laws on a state or federal level.
 

 

^Top

 


One Nation Under God -

Does That Include The Workplace?

 

Once a topic to be politely avoided in conversation – religion is now the topic of conversation. With companies openly professing faith and employees seeking accommodations based on faith, the phrase “One Nation Under God” is as simple as it is complex. As recently as March 19, 2005, the headline in a Texas newspaper read “Dell rehiring 31 Muslim employees after agreement over sunset prayer.” According to the article, the Muslim workers voluntarily walked off the job with Dell after being told by a staffing company that they could not take a separate break for their required sunset prayers. The walk-out occurred as a result of a misinterpretation of Dell’s policies and procedures by the outside staffing company responsible for placing the Muslim employees. While an agreement between the employees and Dell was eventually reached, the matter underscores the rising influence faith is playing in the workplace and the need to carefully evaluate, appropriately apply, and effectively communicate policies and procedures governing religion in the workplace.

Consider the following: In 1995, approximately 1,581 complaints relating to religious bias were registered with the Equal Employment Opportunity Commission (“EEOC”). In 2004, the EEOC reported 2,466 complaints with a spike of 2,572 complaints in 2002. Perhaps the events of September 11th have caused an increase in the awareness of religion; perhaps it is the growth of the evangelical movement; or perhaps it is society embracing the individuality of faith in contrast to the diversity of race, gender, age, or ethnicity. Whatever the reason, employers must be prepared to evaluate and accommodate religion in the workplace — a task that is precarious even under the best circumstances. From requests to include bible verses at the end of company e-mail, to holding prayer meetings in the lunch room, to maintaining a physical appearance contrary to the reputation and image of the company, to religions or religious practices that are not in the “mainstream,” to companies founded on faith-based principles, employers must navigate the waters of what constitutes an appropriate and acceptable religion/accommodation — often without a paddle.

Religion, like sex, race, color, national origin, age, and disability, enjoys a level of protection in the workplace. Indeed, Title VII of the Civil Rights Act of 1964 prohibits an employer from discriminating against an individual based on the individual’s religion. An employer must provide a reasonable accommodation for a religious practice unless doing so would cause an undue hardship on the conduct of the employer’s business. An employee who complains of religious discrimination must show that (1) the employee has a bona fide religious belief that conflicts with an employment requirement, (2) the employee informed the employer of this belief, and (3) the employee was disciplined for failing to comply with the conflicting employment requirement. The burden then shifts to the employer to demonstrate that (1) a reasonable accommodation was made or (2) that an accommodation could not be made without undue hardship.

Applying these governing principles to claims of religious discrimination in the workplace can be difficult – particularly if the employee asserts an entitlement beyond what the employer believes is reasonable or can accommodate. In Cloutier v. Costco Wholesale Corp., the employer adopted a policy prohibiting all facial jewelry other than earrings. The employee asserted that her religious calling required her body piercings to be visible at all times. The employer offered to allow the employee to wear plastic retainers in place of the facial jewelry or adhesive bandages to cover the jewelry. The employee refused the accommodation and argued that she was entitled to an exemption from the company policy. The EEOC agreed with the employee and the employee filed suit under Title VII and applicable state law. The trial court determined that the offered accommodation was reasonable and that Title VII did not require a granting of the preferred accommodation but merely a granting of a reasonable one. The appellate court upheld the decision but on different grounds. The appellate court determined - irrespective of whether the offered accommodation was reasonable - that a blanket exemption from the policy would impose an undue hardship on the company. Key to each analysis was the following:

  1. Cooperation of the company to accommodate within reason;
     

  2. Failure of the employee to accept an accommodation absent an exemption from the policy; and
     

  3. Company had a legitimate interest in presenting a workforce with a professional appearance.

Similarly, in Grant v. Fairview Hosp. & Healthcare Serv., an ultrasound technician argued that his religious beliefs required him to offer pastoral counseling to women who were contemplating an abortion. While the employer would not permit the employee to proselytize or provide pastoral counseling to a patient, it did allow the employee to end the examination of a patient upon learning that an abortion was being considered and to leave the room. The court determined that the employer’s accommodation was reasonable and that the employer was not required, under Title VII, to allow the employee to impose his religious beliefs on others. In Wilson v. U.S. West Communications, the employee asserted that her religious obligations required her to wear an anti-abortion button depicting a photograph of a fetus. Other employees complained and the employer offered three accommodations including leaving the button in the cubicle, covering the button while at work, and wearing a button without the photograph. The employee refused each accommodation and requested that her co-workers be instructed not to look at the button. The court determined that, of the offered accommodations, only the requirement to cover the button was reasonable since it
still allowed the employee to wear the button and reduced other employees’ concerns.

Equally challenging is an allegation of harassment because of a religious belief or lack thereof. In Johnson v. Spencer Press of Maine, Inc., a supervisor repeatedly called a subordinate “a religious freak,” told him not to talk about “religious bullshit,” made derogatory comments about the Virgin Mary, and implied that the subordinate was not getting enough sex due to his religion. The subordinate complained to the company without response and eventually resigned. The subordinate filed suit alleging, among other things, religious harassment and constructive discharge. The employer argued that the subordinate was not harassed because of his religion; rather, it was his religious sensitivities that resulted in a feeling of harassment in the workplace. The court rejected the employer’s argument with the following reasoning:
 

  1. linking the supervisor’s comments to an animosity toward the subordinate’s religious beliefs;
     

  2. recognizing a consistent theme and consistency in the type of harassment; and
     

  3. noting that the supervisor did not make similar comments to other employees.

Without a doubt, employers are routinely faced with complex questions: Does a weekend overtime or work requirement need to be accommodated for an individual who is not able to work on the Sabbath? Must all employees participate in the daily office devotional and how must an employer treat the one who does not? Can we terminate or reassign an individual to a less public work area if the individual’s appearance makes our customers or other employees uncomfortable? Is the “religion” really a religion? To help answer these questions, the EEOC provides some guidance on its Web site at www.eeoc.gov. Indeed, the standards that the EEOC will apply to a religious-based complaint as well as the EEOC’s interpretation of common factual scenarios are readily found in the religious discrimination section of the Web site.

Practically speaking, however, employers are more often faced with unique situations that require difficult decisions. An accommodation can just as easily snare a company as it can insulate a company from complaint. Being able to turn to known and understood policies and procedures is a critical first step when evaluating a religious-based complaint or a request for accommodation in the work-place. Accordingly, employers should:

  • Prohibit discrimination and harassment based on religion in the workplace.
     

  • Implement an anti-harassment policy that includes religion and procedures for reporting, investigating, and addressing religious discrimination, harassment, and retaliation.
     

  • Routinely train and educate employees on religious accommodation practices and the policies and procedures governing religion in the workplace, including anti-harassment and reporting/investigations.
     

  • Refrain from treating employees or prospective employees more or less favorably due to a religious belief or perceived religious belief or lack thereof.
     

  • Refrain from placing greater restrictions on the expression of religion if other forms of non-business related expression are permitted in the workplace.
     

  • Refrain from selectively enforcing policies and procedures regarding the use of company property or expression in the workplace. For example, allowing Christian employees to use the lunch room to pray but requiring Muslim employees to pray at their desks.
     

  • Evaluate each request for accommodation and determine whether the request is reasonable and can be accommodated without undue hardship. If an undue hardship would result, be prepared to articulate the nature of the undue hardship with objective, non-discriminatory terms. For example, the company only has one conference room and the room is used daily for a business meeting at the same time the room has been requested for prayer, as compared to, if the company grants the request for one or a few employees all employees of the same religion will want the same treatment and thereby cause an undue hardship by disrupting the work day.
     

  • Uniformly apply policies and procedures regarding the use of the company property, including e-mail, bulletin boards, voicemail, copy machines, etc., for non-business related purposes.
     

  • Take a complaint relating to religious discrimination or harassment seriously and promptly address the complaint.
     

  • Remove personal religious beliefs from the process.
     

  • Consult with legal counsel to develop appropriate policies and procedures, to analyze the facts in light of the governing laws, and to provide guidance relating to documentation and resolution of the complaint.

Many lawsuits stem from poor communication or understanding of the company’s policies and procedures. With respect to religion, employers should take the necessary steps to reduce any confusion.

For more information on this topic, please contact Robert L. McTiernan, Co-Chair of the firm’s Labor and Employment Practice Group, at 412.594.5528 or via e-mail at rmctiernan@tuckerlaw.com

 

^Top

 


New Data Disposal Regulations Effective

June 1, 2005:

Start Your Shredders

 

Almost every week we hear a new report about some security breach where a business disclosed personal data of its customers or employees. Sometimes these breaches occur during routine disposal of data or documents—such as merely taking out the trash. In an age where identity theft is a pernicious and growing problem, these security breaches are cause for serious concern. The Federal Trade Commission (FTC) has issued new regulations under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA) aimed at reducing the risk of identity theft that may occur during the disposal of sensitive data contained in consumer reports.

To Whom Do the Regulations Apply?

Beginning June 1, 2005, all users of consumer reports will be subject to the new FTC data disposal regulations. “Users” covered by the regulations include employers who obtain consumer reports on prospective or current employees. “Consumer reports” are very broadly defined. They include background checks that employers obtain from third parties who, as part of their business, provide reports about a person’s credit worthiness, character, reputation, personal characteristics, or mode of living, which are then used to determine eligibility for employment.

The sensitive information of concern that is contained in consumer reports includes social security numbers, driver’s license numbers, phone numbers, geo- graphic addresses, and e-mail addresses. All employers obtain this information on applicants and employees from sources such as resumes, employment applications, and various other new hire forms. Although the new FTC regulation applies only to sensitive information contained in, or obtained from, consumer reports, it will be virtually impossible for employers to track the source of each piece of personal information to determine where it came from and whether it must be destroyed in compliance with these regulations. Thus, we advise that covered employers treat all such sensitive information as if it came from a consumer report and complies fully with the FTC’s regulations.

What Do the Regulations Require?


“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” The regulations recognize that employers may either dispose of such data themselves or hire a third party contractor to do the job. Whichever method you choose, you must ensure that after disposal, the data is no longer practicably readable or reconstructible.

If you choose to dispose of the regulated data yourself, you must implement policies and procedures that include shredding, pulverizing, or burning such data and data storage media. Your policies and procedures should include situations where you sell, donate or transfer equipment upon which such information has been electronically stored. In addition, you must monitor compliance with these policies and procedures. If you choose to contract with a third party, you must notify the service provider that your trash includes protected consumer information, and include the provider’s agreement to follow these FACTA regulations within the contract for services.

What Are the Penalties for Noncompliance?

Employers who violate the new FTC regulations are liable for statutory dam- ages of up to $1,000 for each employee whose data was improperly disclosed during disposal, civil fines of up to $2,500 per employee, and actual damages to employees whose identities are stolen as a result of the disclosure. Expect a class action lawsuit when large numbers of employment records are involved.

Considering the vast amount of personal and confidential information maintained in human resources departments, having effective policies and procedures regarding data security and disposal just makes good business sense.

For more information on this topic, please contact Homer L. Walton, Co-Chair of the firm’s Labor and Employment Practice Group, at 412.594.5657 or via e-mail at hwalton@tuckerlaw.com.
 

 

^Top

< Back




 

Newsletter

Archives

February 2005

January 2004

Summer 2003

Summer 2002

Winter 2002
 

  

 What's Inside

Ø

SPYWARE and ADWARE: Is Your Company Protected?

 


 Ø

One Nation Under God - Does That Include The Workplace?



 Ø
 New Data Disposal Regulations Effective June 1, 2005: Start Your Shredders















A Century of Service | | Visitor Area | Contact Webmaster

Copyright © 2000 Tucker Arensberg, P.C.