Balancing Employee Security Rights
BALANCING EMPLOYEE SECURITY RIGHTS
AT THE WORKPLACE
By:
AUGUST BEQUAI, ESQ
I. INTRODUCTION
The Internet - an outgrowth of America’s Cold War efforts-is touted daily as an efficient and inexpensive vehicle for electronic commerce. One that both business and government can employ effectively to conduct their daily operations; with an army of vendors ready to assist.
But as U.S. businesses and individuals turn to the Internet in growing numbers, serious concerns over crime and security continue unabated. These are in need of serious long-term consideration. Businesses that fail to enact proper measures to address these concerns, invite both adverse publicity and costly litigation.
The euphoria and financial motives that have fueled the growth of the Internet, need also accommodate serious concerns over crime and security. For in the minds of a growing number of business and government officials in the U.S., there is a growing awareness that the Internet is not the fabled genie of Aladdin’s lamp.
II. DEALING WITH SECURITY CONCERNS
While many in business and government acknowledge the need for security in cyber-space, few agree on what constitutes adequate security to stave off legal exposure; or whether the impetus should be on technical as opposed to personnel side of security. In any case, there is a consensus in legal circles that to stave off litigation, a security program should address several basic security needs:
A. Serving Information Systems: the news media has amply documented hacker and criminal attacks against information systems. The threats are both internal and external. To minimize legal exposure, an organization’s security efforts should be directed at:
1. Safeguarding mainframes, peripherals, PCs, and laptop computers. The growing theft of laptop computers in the U.S. has come to pose a serious problem for both business and government. This is further aggravated by the fact that management pays scant attention to laptop security. As for U.S. law enforcement agencies, traditional crime and not the Internet ranks high in their priorities.
2. Preventing the theft and diversion of processing and memory chips. Losses in this area now run in the billions of dollars annually. The ease with which these thefts can be carried out has attracted the attention of America’s Mafia syndicates and other professional criminals.
3. Deterring the unauthorized copying and use of computer programs. With software piracy now a $10 billion dollar annual business in the U.S., and prosecutions the exception rather than the norm, litigation is on the upswing.
B. Safeguards for Data: the long-term survival of a modern organization depends on its ability to secure its proprietary data. In the cyber-environment, corporate productivity may increasingly be dependent on electronic blips being transmitted over the Internet and other on-line systems. Computers and telecommunications systems have replaced King Solomon’s mines. To prove legally effective, a data security program should secure:
1. Trade secrets and related organizational technical “know-how”; i.e., scientific findings, inventions, etc.
2. Confidential acquisition and marketing plans, projected earnings, and other proprietary business information.
3. Personnel, medical, and financial records; in the U.S. the privacy and confidentiality of these records is mandated by both federal and state laws.
4. Customer and vendor records; so as to prevent their alteration or modification by dishonest and irate insiders.
III. LEGAL SAFEGUARDS
In addition to the technical and personnel safeguards management can rely on to limit its legal exposure to abuses in cyber-space, there are also legal safeguards that it can turn to:
A. Federal/State Laws: both at the federal and state levels, numerous laws have been enacted to address the threat of cyber-crime; among these:
1. Federal Computer Fraud and Abuse Act: makes it a Federal crime to access a computer without authorization or in excess of the authorization, for the purpose of causing an unauthorized act. The U.S. Secret Service and FBI are the two federal agencies charged with investigating violations of the Act. Violations are punishable by fines and imprisonment of up to 10 years.
The Act also targets computers that are used by financial institutions and federal agencies; as well as any computer which is “one of two or more computers used in committing the offense, not all of which are located in the same state.” The following unauthorized activities are made criminal by the Act:
a. Obtaining classified information which deals with national defense, foreign relations or restricted nuclear energy data; with the intent to use it for the purpose of causing injury to the U.S. government or to advance the interests of a foreign power.
b. Gaining unauthorized access to information that belongs to a financial institution, credit card issuer, or consumer-reporting agency.
c. Accessing the computer of a federal agency, for the purpose of adversely affecting its use.
d. Accessing a computer, for the purpose of committing a fraud.
e. Transmitting a program, data, code, or command for the purpose of damaging or denying use of a computer system or program.
f. Transmitting a code, data, or program, so as to modify or alter medical records.
g. Transmitting a program, code, or command so as to impair the operation of a computer system or program.
h. Knowingly and with the intent to defraud, traffic in confidential computer passwords.
One of the first prosecutions in the U.S. under the Act, was that of United States v. Morris, 928 F.2d 504 (2d Cir. 1991). In the Morris case, the U.S. Second Circuit affirmed the Defendant’s conviction under the Act. The Defendant, a graduate student at Cornell University, had transmitted a rogue program into the Internet from his college computer.
The Court made several points in its interpretation of the Act. First, that intentional access alone was sufficient for conviction under the Act. Secondly, that the prosecution did not need to prove intent to cause damage or injury. Thirdly, that the unauthorized access element was satisfied when a computer to which one had authorized access, was used for an unauthorized purpose.
2. Intellectual Property: Both at the federal and state level, intellectual property laws have also been used to prosecute cyber-crimes and willful breaches in security. For example:
a. Copyright Act: is used to safeguard computer programs and related intellectual property. The Act provides as follows:
1. Subject Matter: the copyright protection subsists in original works of authorship fixed in a tangible medium of expression, not known or later developed; from which the works can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device.
2. Works of Authorship: these include literary works, computer programs, digital databases, motion pictures, audiovisual works, pictorial works, and sound recordings. The Act defines a “computer program” as “a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.”
3. Exclusive rights: the copyright protections are limited solely to the expression of ideas. Processes, procedures, methods of operation, and the like are not covered. A copyright accords its lawful owner the exclusive right to: reproduce the work; prepare derivative works; distribute copies of the copyrighted work by sale, rental, lease, or other transfer of ownership; and/or perform or display the copyrighted work publicly.
4. Infringement: under the Act, anyone who violates any of the exclusive rights of a copyright owner is considered an infringer. “Anyone” includes any instrumentality of government; as well as any officer or employee of such an instrumentality.
5. Civil Remedies: in cases of infringement, the Copyright Act provided for: temporary and permanent injunctions; impounding and disposition of the infringing articles; actual or statutory damages (at Plaintiff’s election); and legal costs and fees.
6. Criminal Sanctions: anyone who is found to willfully infringe on a copyright for the purpose of gaining a commercial advantage or gain, can face fines of up to $250,000 and/or imprisoned for up to 10 years.
7. Fair Use: this is a common defense - based on the principles of equity - to an action for copyright infringement. It is available with respect to all unauthorized uses of works in all media. In determining whether a use is fair, a court will consider the purpose and character of the use; including whether it is of a commercial nature or is for nonprofit and educational purposes.
The court may also consider the: nature of the copyrighted work; amount and substantiality of the portion used in relation to the copyrighted work as a whole; and effect of the use upon the potential market for or value of the copyrighted work. While the jurisprudence of fair use is extensive; its scope is an issue of ongoing debate in the context of the Internet, where information in a digital format is quickly and perfectly exchanged.
8. On-line Environments: for purposes of the Act, these include the Internet, Intranets, and bulletin boards; as well as a variety of intermediaries between.
B. Judicial Perspective: while the number of judicial holdings on the Internet in the U.S. is on the increase, several key decisions reflect the judicial mindset in this area. For example:
1. Playboy Enterprises v. Frena, 839 F. Supp. 1552 (1993): the Court found the Defendant (a bulletin board operator) liable as a direct copyright infringer. The issue before the Court was whether an operator would be held liable for the acts of users who had uploaded and downloaded copyrighted photographs belonging to the Plaintiff. Despite the operator’s defense of alleged lack of knowledge of the infringing activity, the Court found him liable as a direct infringer on the ground that providing access to the computer bulletin board was equivalent to “distributing” and “displaying” the infringing photos.
2. Sega Enterprises v. Maphia, 857 V. Supp. 679 (1994): the issue before the Court was whether a bulletin board operator could be held liable for the acts of users who had uploaded and downloaded Sega’s copyrighted video games. The Court observed that even in instances where a Defendant does not upload or download copyrighted games, liability could still attach under the third-party liability theory of contributory copyright infringement.
The Court added that by providing the needed facilities, direction, and knowledge, this amounted to contributory copyright infringement.
3. Fonovisa v. Cherry Auction, CV 94-15717 (1996): the Court addressed the issue of vicarious liability of on-line service providers, BBS operators, and others.
The Court allowed a music company to pursue claims of vicarious liability for copyright infringement against the operator of a “swap meet” where third-party vendors regularly sold counterfeit sound recordings, with the knowledge and failure to act on the part of the swap meet owner.
C. Lanham Act: the trademark laws are increasingly being employed as a form of intellectual property protection in on-line environments. The Act addresses the following:
1. Scope: trademark laws are designed to safeguard the name, design, and/or other indicia of origin under which a seller distinguishes its goods and services from those of another. The Act defines the term “trademark” to encompass any word, name, symbol, or device; or any combination thereof, used by a person or which a person has a bona fide intention to use in commerce, and applies to register on the principal register established by the Act.
2. Safeguards: these are limited to those marks which are inherently distinctive or have acquired a secondary meaning; i.e., invoke a connection in the public’s mind between the mark and the provider of the goods or service. Marks that are merely descriptive of a product do not inherently qualify.
3. Infringement: is said to occur when someone other than the rightful owner of a trademark uses the same or a confusingly similar term on the same or closely related goods or services; as well as in the same geographical area.
4. Remedies: those are available under both federal and state laws, and include: a court order against future infringements; profits the infringer has derived; damages for any past infringement(s) suffered by the owner of the mark; destruction of all materials bearing the infringing mark; costs of the legal action; and reasonable attorneys fees. Some states also provide criminal sanctions for certain types of trademark infringements.
5. Internet: trademark safeguards over the Internet come into play as follows:
a. Domain names - trademark safeguards have been applied to domain names; namely, word or words such as the name of an individual, organization, business, a brand name or trademark, or any other word commonly associated with a specific user.
b. Applicant: for purposes of domain name registration, an applicant must state that it has a lawful right to use the name, it intends to use the name regularly over the Internet, and the registration is not sought for any illegal purposes.
D. Trade Secrets: under current U.S. judicial holdings, a “trade secret” is viewed as consisting of a whole or any portion or phase of any scientific or technical information, design, process, procedure, formula, improvement, confidential business or financial information, listing of names, addresses, or telephone numbers; or any other information relating to any business or profession which is secret and of value. Trade secret laws are being used, primarily at the State level, with greater frequency in Internet Litigation.
E. Privacy Laws: the privacy laws have also been employed to address abuses in cyber-space. Among these:
1. Electronic Communications Privacy Act: enacted in 1986, the Act codifies the warrant requirements for the interception of data communications by government agencies; as well as creating privacy safeguards for corporate databases.
a. Penal: under the Act anyone who intentionally accesses, without authorization, a facility through which an electronic communication service is provided; or who intentionally exceeds an authorization to access that facility and “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage of such system” can face fines of up to $250,000 and/or imprisonment for up to two years.
b. E-mail: the right of employers to monitor the E-mail of their employees is not well defined by the Act. The Act, however, does allow the provider of an electronic communication service to intercept messages for the “protection of the service’s property or rights.”
2. Right to Financial Privacy Act: limits the authority of Federal agencies to obtain financial records from banks and other financial institutions. To do so, the agency must first provide a formal written statement that describes the nature of the records sought; as well as the purpose for the disclosure. A copy of the request must also be sent to the institution’s customer, who can move for a court order prohibiting access. Both the agency and the financial institution can be held civilly liable for any unauthorized disclosure.
F. Defamation: the key elements of a common law defamation claim are: a false and defamatory statement about another party; published to one or more third parties without a privilege; by a publisher who is at least negligent in communicating the information; and which results in presumed or actual damage. The law of defamation is being actively applied to the Internet and other on-line environments. For example:
1. Cubby, Inc. v. CompuServe, 776 F.Supp. 135 (1991): Plaintiff, Cubby, Inc. charged CompuServe with making defamatory remarks via a bulletin board published by an independent party. CompuServe argued that it was a “distributor” and not a “publisher”; therefore, it should not be held liable unless it had reason to know of the bulletin board’s content. The Court concurred; comparing CompuServe to a traditional newsvendor or bookstore, and applied the negligence standard.
2. Stratton Oakmont v. Prodigy, 1995 N.Y. Misc. LEXIS 229 (N.Y. Sup. Ct., May 24, 1995): an unidentified user had posted statements on Prodigy’s “Money Talk” bulletin board; accusing the Plaintiff, an investment banking firm, and its president of criminal and fraudulent conduct in connection with a private offering.
The Court took note that the marketing information circulated by the Defendant stated that it exercised editorial control over the content of messages posted on its bulletin boards; differentiating it from its competitors. Further, that Prodigy had issued content guidelines; requesting users to refrain from posting insulting notes and warning them that it would remove such notes. Prodigy, the Court concluded, was a publisher for purposes of a defamation action.
SUMMARY
The 21st Century will aptly be described as the Age of Cyber-Space. The Internet is still in its infancy. While proponents of the Internet tout its value as the Magic Genie of electronic commerce, it continues to face many hurdles; some of the more crucial deal with the rights of employees in the electronic workplace. If these are not properly addressed in the near future, the Internet may find its maturation hampered.
Tags: employee security rights at the workplace, Employment Law