Date: Jun 02, 2009
On April 22, 2009, in the case of Zungoli v. United Parcel Service, Inc. et. al., Civ. Action No. 07-2194, Judge Susan D. Wigenton of the U.S. District Court for the District of New Jersey issued an opinion denying defendants' motion to dismiss retaliation claims filed by a former employee who challenged his termination under the anti-retaliation provisions of the New Jersey Conscientious Employee Protection Act ("CEPA") and the federal Family Medical Leave Act ("FMLA") on summary judgment grounds. The court dismissed a third claim brought under the New Jersey Law against Discrimination ("NJLAD") as preempted by the federal Employment Retirement Income Security Act (ERISA). This decision marks the first occasion that state identity theft protection, breach notification and privacy laws have been used as the basis for a wrongful discharge claim under a state whistleblower protection statute.
Plaintiff was a long-term employee who used extended FMLA leave in 2001 and 2004 in connection with his own serious health condition. Instead of returning him to the same or substantially similar position following his leave in 2001, UPS demoted him, forced him to report to a former subordinate, and gave him a minimal salary increase for the performance term covering the leave period. Following his return from FLMA leave in 2004, plaintiff was involuntarily transferred to a new department, given a marginal performance review, and identified as a potentially over-compensated individual. In January 2006, plaintiff was placed on a list of persons not likely to succeed and marked for termination. In the same month, plaintiff began complaining to UPS that he didn't want to enter specific identifying information about himself in the UPSers.com data base because UPS warned users that they had no legitimate expectation of privacy when using UPS portals and because the UPSers.com software lacked user- authentication security protection. When UPS rolled out a new employee talent management data base in May 2006, plaintiff refused to become a registered user for the same reasons. In August 2006, plaintiff received a less than satisfactory performance rating, based in part upon his refusal to register and use the UPS portals. In November 2006, plaintiff was notified that he was being terminated after taking sick leave and making a request for short term disability leave.
In 2007, the plaintiff sued defendants in federal court alleging that his termination was motivated, in whole or in part, by activity protected under CEPA and FMLA. In support of his whistleblower claim, plaintiff alleged that the portal was not secure, and could expose personal confidential information. Plaintiff pointed to 1) a standard disclaimer in the terms and conditions of UPSers.com that users had no expectation of privacy when using the portal; 2) lack of a user authentication system for most users to protect their confidential information, and 3) the system allowed another user to be contemporaneously logged onto the system with the same user name and password.
The court denied defendants' summary judgment motion on the CEPA and FEMLA retaliation claims because of the existence of material disputes of fact. With respect to the CEPA claim, the court entered a preliminary legal finding that a significant nexus existed between plaintiff's alleged whistleblower activity and the public policy considerations underlying the New Jersey Identity Theft Protection Act (ITPA) and the right to privacy protected under the New Jersey State Constitution. Given the existence of direct evidence that plaintiff's August 2006 unsatisfactory performance review was based in part upon his refusal to use the UPS portals, and the close proximity of the ensuing termination decision, plaintiff was entitled to a jury determination on two key factual issues: (1) whether his belief that the UPS failed to comply with the privacy protections of the ITPA and State Constitution were objectively and subjectively reasonable; and (2) whether his termination was motivated in whole or in part by CEPA-protected whistle blowing activity. Likewise, the court held that plaintiff was entitled to have a jury determine whether defendants retaliated against him in the terms and conditions of employment based on his FMLA usage. Defendants have moved for reconsideration based on evidence that plaintiff destroyed mitigation evidence favorable to the defense. It is unclear whether the defense motion will result in a material change in the court's ruling, but if the case does go to trial, a jury could potentially award plaintiff injunctive and monetary relief in the form of back pay, compensatory damages, punitive damages and attorney's fees.
The Zungoli decision is significant for employers that operate web-based portals for human resources, talent management, training, performance, and related matters, for several reasons:
· Employers that maintain electronic systems containing personal information should review the security measures in place to protect the information, consider implementing written security policies, evaluate whether the employer is collecting only necessary information, train employees on established policies and procedures, and develop security breach response procedures. Approximately thirty (30) states have laws pertaining to the use, display, and handling of social security numbers. Some states, including MA and OR, also have laws relating to the development and implementation of written information security programs for records containing personal information. Personal information is generally defined as an individual's name plus social security number, driver's licenses number, or financial account number. In addition, the majority of states have adopted data breach notification laws, which require companies to notify individuals whose personal information (in most cases, information that is stored electronically) has been breached. There have been breaches of security involving HR databases. The U.S. Federal Trade Commission (FTC) has also addressed the need for security in the wake of data breaches, bringing enforcement actions, for example, against companies that the FTC contended lacked adequate security. Discussions continue in Congress about adopting a national data security and breach notification law.
· If an employer fails to implement appropriate security protections, it must allow employees in states with identity protection and privacy protection laws to opt-out without fear of discipline or other adverse employment action. The advantages of web-based HR portals in terms of cost savings and ease of use can be lost if employees broadly opt-out, and some companies do not offer U.S. employees a general right to opt-out of web-based HR databases.
· Employers should modify disclaimers such as those contained on the UPS portals that users have no reasonable expectation of privacy with respect to their personal information. Failure to do so could invite whistleblower and privacy lawsuits by employees and their representatives, which could result in liability for compensatory and punitive damages and attorney's fees. While no system can offer absolute guarantees of security and privacy, adoption and implementation of reasonable and appropriate technical, administrative and physical security measures should be instituted to safeguard these types of databases.
· Data protection laws vary by country, so it is important for multinational employers to understand what data is stored on their systems, where and in what forms the data resides, and how the data will be used, stored, and transferred. For example, unlike U.S. law, EU law prohibits the transfer of personal data from the EU to countries that do not ensure adequate protection, except under certain circumstances, and EU residents typically can opt-out of having personal information stored in electronic systems.
Employers should continue to review and update data security and privacy practices periodically.
For more information on Keller and Heckman llp's employee whistleblower, privacy and data security issues, please contact Sheila Millar at 202-434-4143 email@example.com, Manesh Rath at 202-434-4182 firstname.lastname@example.org or Tracy Marshall at 202-434-4234 email@example.com.