Showing posts with label clarity element. Show all posts
Showing posts with label clarity element. Show all posts

Monday, April 13, 2015

Ohio Court of Appeals Reinstates Wrongful Discharge Claim Based on Employee Objections to Sharing Computer Passwords Even Though the Employer Was Not Subject to Liability Under the Applicable Statute.

On Thursday, a unanimous Cuyahoga County Court of Appeals reversed a directed verdict entered at trial in favor of an employer on a claim for wrongful discharge in violation of public policy based on the plaintiff’s objection to password sharing by employees.  Rebello v. Lender Processing Servs., Inc., 2015-Ohio-1380 (4-9-15).  The employer was a service provider for Chase Bank and was required by contract to restrict access to non-public information about Chase customers to employees who had cleared Chase’s security procedures (including a background check, and drug testing, etc.).  However, because Chase was not approving new employee passwords fast enough, it had allegedly become common practice for the employees to share passwords in order to keep up with their work.  The Plaintiff claimed to have objected to this process repeatedly, particularly after an email from Human Resources threatened that employees who shared passwords could be fired and subjected to civil and criminal liability.  Shortly after directing her subordinates to stop sharing emails and threatening to report the practice to upper management and Chase, she was fired for reasons that she claimed were pretextual.  At trial, the judge ruled that she had not identified a clear public policy against sharing passwords.  On appeal, the Court of Appeals found that the public policy reflected in the Gramm-Leach-Bliley Act, 15 U.S.C. §6801, et seq. was sufficiently clear to support her claim that she was fired for opposing unauthorized disclosure and use of non-public financial customer information.  Moreover, she could also show that this public policy was jeopardized by her termination since that statute did not contain any provisions protecting employees from retaliation for refusing to violate the Act or for threatening to report its breach.

According to the Court’s opinion, the plaintiff worked for a company which helped preserve property owned by customers of Chase Bank who were in financial distress or foreclosure.  In order to perform their duties, employees were provided with access by Chase to non-public information about the clients subject to a contract which required that access be limited to employees who had cleared Chase’s security protocols and were provided with a password by Chase. Moreover, they were required by the Chase contract to report to Chase any unauthorized disclosures of the information.   However, apparently, Chase was not providing passwords fast enough and it had become common practice for employees to share passwords in order to keep up with the work.  There was evidence that the plaintiff had objected to this process for over 18 months and was repeatedly told to stay the course and management would take care of the problem.    There was also evidence that upper management became aware – at least several occasions – that passwords were being shared and that they told employees to stop sharing passwords and requested Chase to speed up its process.  

After a Denver employee reported the password sharing practice in her exit interview, the issue came to the forefront again in February 2012.  A conference call was held and supervisors, including the Plaintiff, were told that password sharing must stop.   The Plaintiff’s manager told her to stay the course and calm down and that it was not their job to inform Chase about the password sharing.   When password sharing continued, Human Resources sent an email to all employees at the end of February reminding them that they were not permitted to share passwords, that they could be immediately fired for sharing passwords and that they could also be civilly and/or criminally prosecuted.   Plaintiff informed her supervisor that she would prohibit her employees from sharing passwords even if it meant that the work production suffered and that that she would inform upper management or Chase about the password sharing.  She was told that the company’s Information Service Officer would handle it.  

The following week, the Plaintiff’s manager claimed she reported concerns with the Plaintiff’s attendance and tardiness.  On April 2, a co-worker allegedly complained about disruptive profanity the Plaintiff used in a personal telephone call.  A subsequent investigation by Human Resources discovered that other employees had been similarly disturbed by other personal telephone calls by the Plaintiff.  Therefore, the Plaintiff was summarily fired for “for disrupting the work environment, unsatisfactory performance, violation of policies and procedures, challenges with supervisory execution and challenges with attendance, punctuality and time off.”  There was apparently no documentation of prior disciplinary or performance issues.  

The plaintiff filed a wrongful discharge in violation of public policy claim based on several statutes: the Fair Credit Reporting Act, Ohio’s identify theft protection statute and the Gramm-Leach-Bliley Act, 15 U.S.C. §6801 (“GLBA”).  The employer’s motion to dismiss was denied, as was its summary judgment motion.  However, at trial, the visiting judge granted the employer’s motion for directed verdict (thus, removing the case from the jury) on the ground that none of these statutes clearly addressed the plaintiff’s objections to employees sharing computer passwords.  This appeal followed.  

On appeal, the Court agreed that the employer was not subject to the Fair Credit Reporting Act because it was not a consumer reporting agency and the Plaintiff failed to show “that her concerns regarding password sharing in any way implicated any of the specific policies or purposes FCRA was enacted to address.”  It also found that Ohio’s identity theft statute, R.C.§1349.19,  did not apply because  

there was no evidence that, as a result of password sharing, LPS’s or Chase’s security systems were “breached” as defined in the statute or that any unauthorized “access and acquisition” of personal information occurred (or was likely to occur) that “cause[d] or reasonably is believed will cause a material risk of identity theft or other fraud.” [She] presented no evidence that any of the Chase customers whose information was accessed by LPS employees through password sharing was at any material risk of identity theft, fraud or any other financial harm as a result of that practice.
However, the GLBA was different. “The GLBA requires financial institutions to take steps to ensure the security and confidentiality of the nonpublic information of its customers.”  Moreover, the Interagency Guidelines Establishing Information Security Standards (“guidelines”), 12 C.F.R. part 30, Appx. B, “apply to ‘customer information maintained by or on behalf of entities over which the office of the Comptroller of the Currency has authority’ and “address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” 

The guidelines also require banks to consider whether other security measures, such as controls to authenticate and permit access only to authorized individuals, controls to prevent employees from providing customer information to unauthorized individuals, and encryption of electronic customer information to which unauthorized individuals may have access, are appropriate and, if so, adopt those measures. . . . The guidelines also require banks to “[r]equire its service providers by contract to implement appropriate measures designed to meet the objectives” . . . “Service providers” include “any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the [bank].”
The Court concluded that the GLBA and its guidelines established a clear public policy. The employer did “not dispute that the GLBA and its regulations apply to Chase and the nonpublic customer information accessed by” the employer’s employees, but argued that the GLBA technically only applied to Chase and not to service providers like it. The Court rejected this argument: 

[The employer] cites no authority in support of its contention that an employer must be found to have violated and subject to liability under the specific statute that serves as the source of the public policy before we may conclude that a clear public policy exists that has been compromised by the employer’s conduct.
Importantly, the employer’s own documents, policies and contracts acknowledged that its activities were subject to the GLBA and that it had a statutory obligation to comply with that statute to protect and maintain the confidentiality of Chase customer information.
The Court also rejected the employer’s attempts to limit characterization of the Plaintiff’s objections to “password sharing,” which is not a specific activity discussed in the GLBA.   While there would be no statutory violation if passwords were shared among employees who were already authorized by Chase to access the non-public information, there arguably would be a statutory violation if the passwords were shared with individuals who were not authorized to access the information.
Rebello does not contend that there is a public policy against “password sharing” under the GLBA or any other state or federal law. Instead, she argues that her objections to password sharing and threats to report LPS’s practice of password sharing to Chase implicated public policy because they related to concerns over the unauthorized access and disclosure of nonpublic personal information of Chase’s customers. Rebello contends that “by objecting to sharing passwords, she [was] objecting to a practice that threatened the confidentiality and allowed unauthorized access of individuals to confidential nonpublic customer information.” She argues that even though there is no public policy against password sharing per se, there is a public policy manifested in the GLBA to protect against the unauthorized access and disclosure of nonpublic personal information and that because LPS’s and Chase’s anti-password sharing policies were implemented (at least in part) to prevent the unauthorized access and disclosure of this information, dismissing employees under circumstances like those allegedly involved in her dismissal, i.e., for refusing to continue sharing passwords and threatening to report password sharing among LPS employees to Chase, would jeopardize that public policy.
 . . . Where, however, a password that permits access to nonpublic customer information is shared with a person who does not have authority to access that information and the password is, in fact, used by the person with whom it is shared to access nonpublic consumer information, password sharing results in the unauthorized disclosure of that information, thereby implicating the public policy against unauthorized access and disclosure of nonpublic personal information of consumers. Thus, the issue in this case is whether Rebello’s objections to password sharing were akin to a complaint regarding the unauthorized access and disclosure of nonpublic consumer information.

That being said, there was still a factual dispute about the scope of the password sharing.  The employer produced evidence that the individuals gaining access had been authorized to do so by Chase, but simply had not yet received the means of access (i.e., a password token).   However, the Plaintiff and one other witness testified that access was also being provided to employees who had not yet been authorized by Chase.  To complicate the matter further, the Plaintiff did not think it really mattered whether the employees had been authorized by Chase to access the information or not since the contract and policy prohibited sharing passwords.  She viewed the issue of password sharing to be virtually identical to the issue of unauthorized disclosure of the protected information.  The Court concluded that a reasonable jury could agree with the Plaintiff:
In this case, based on the evidence presented by Rebello that LPS was regularly and systemically disregarding the password system established by Chase and allowing LPS employees who had not yet been authorized by Chase to access its nonpublic customer information, a reasonable jury could have found that there was, in fact, no difference between Rebello objecting to password sharing and Rebello objecting specifically to the results of that password sharing, i.e., the unauthorized access and disclosure of nonpublic information to LPS employees. The trial court erred in taking that determination away from the jury and concluding as a matter of law that “[t]he mere assertion relative to sharing passwords is insufficient to satisfy the clarity element of a wrongful termination action.”
Moreover, it was irrelevant that no identity theft had actually occurred as a result of the password sharing practice or that the violation of the password protocols had not actually harmed any of Chase’s customers.  The alleged unauthorized access by the employees was by itself enough harm to the privacy interests of Chase’s customers as protected by the GLBA:
Rebello was not required to show that any consumer identity theft had occurred or that any consumer’s confidential information had otherwise been misappropriated to establish the clarity and jeopardy elements of her claim. A plaintiff asserting a claim of wrongful termination in violation of public policy is not required to show that the conduct to which the employee objected actually resulted in the type of harm that the public policy seeks to prevent. Furthermore, even if such a showing were required, the unauthorized access of Chase’s  customers’ nonpublic information by LPS employees in and of itself caused a harm to the privacy interests of those customers — one of the interests the GLBA seeks to protect. (bolding added for emphasis).
Finally, the Court found that public policy could be jeopardized by the employer’s conduct in terminating the Plaintiff for refusing to participate and threatening to report its alleged violation of the statute.   Public policy claims at common law can only exist where the applicable statute does not provide exclusive remedies for its breach.
The GLBA contains no statutory remedies protecting employees who complain about, refuse to participate in and threaten to disclose an employer’s unauthorized access and disclosure of nonpublic consumer information. Thus, there is no existing statutory remedy that “adequately protect[s] society’s interest [in] discouraging this wrongful conduct.” Id. If employers were allowed to terminate employees for objecting to, refusing to participate in and threatening to disclose the unauthorized access and disclosure of nonpublic consumer information, such retaliatory practices could deter employees from reporting or taking other steps to protect nonpublic consumer information from unauthorized access and disclosure. We find that without a common-law tort for wrongful discharge under these circumstances, the clear public policy against unauthorized access and disclosure of nonpublic consumer information would be compromised.

NOTICE: This summary is designed merely to inform and alert you of recent legal developments. It does not constitute legal advice and does not apply to any particular situation because different facts could lead to different results. Information here can be changed or amended without notice. Readers should not act upon this information without legal advice. If you have any questions about anything you have read, you should consult with or retain an employment attorney.

Thursday, September 15, 2011

Ohio Supreme Court Finally Puts Nail in Dohme Coffin

This morning, the Ohio Supreme Court finally reversed the Dohme case on the merits, finding that that the plaintiff had failed to allege the violation of any state or federal statute, regulation, rule or decision when he was fired for insubordination after complaining to an insurance adjuster (despite explicit instructions to the contrary) about certain fire alarm inspection reports being missing as part of a supposed scheme to set him up to be fired. Dohme v. Eurand America, Inc., 2011-Ohio-4609. As reported here in June and earlier in February 2008, “the Ohio Supreme Court heard oral argument about whether public policy wrongful discharge claims should be recognized when the employee did not “blow the whistle” to either a government agency or management about safety concerns, but rather, complained to a private sector insurance auditor about his paranoia of being set up to be fired due to an allegedly missing document about fire alarm inspections. The Court resolved the dispute on the very narrow grounds of the “clarity” element of a wrongful discharge claim. Because the plaintiff had failed to identify any law which permitted, encouraged or required him to express his concerns to the adjuster, the employer was perfectly justified to forbid unauthorized conversations with the adjuster and to fire the plaintiff for insubordination when he disregarded those explicit instructions. Vague concerns about workplace safety are insufficient to support a claim for wrongful discharge. Rather, citation to some legal authority is required:



[T]o satisfy the clarity element of a claim of wrongful discharge in violation of public policy, a terminated employee must articulate a clear public policy by citation to specific provisions in the federal or state constitution, federal or state statutes, administrative rules and regulations, or common law. A general reference to workplace safety is insufficient to meet the clarity requirement.

Interestingly, the Court also noted that it was inappropriate for a court to sua sponte fill in a supposed public policy if the plaintiff fails to identify such a policy or law.


NOTICE: This summary is designed merely to inform and alert you of recent legal developments. It does not constitute legal advice and does not apply to any particular situation because different facts could lead to different results. Information here can change or be amended without notice. Readers should not act upon this information without legal advice. If you have any questions about anything you have read, you should consult with or retain an employment attorney.

Thursday, May 19, 2011

Court Rejects Public Policy Wrongful Discharge Claim for Lack of Clarity About Employer’s Alleged Legal Violation


Last week, the Ohio Court of Appeals affirmed the dismissal of a wrongful discharge claim brought by a terminated paramedic who alleged that he was fired for opposing the mistreatment of a patient in violation of Ohio public policy. Strodtbeck v. Lake Hosp. Sys., Inc., 2011-Ohio-2327. He questioned the medical treatment of a patient and took a picture of the alleged mistreatment with his cell phone camera and later showed the picture to the nurse manager and human resources while sharing his concerns. The employer chose to focus on his failure to obtain written consent from the patient before taking the picture instead of his complaint and terminated his employment. The Court found that the plaintiff had failed to identify any clear public policy, statute or other law which applied to his actions or which the hospital violated in terminating his employment. Thus, he had failed to satisfy the "clarity" element of a claim for wrongful discharge in violation of public policy.


In moving for summary judgment, the hospital had pointed out that the plaintiff did not have explicit permission from management to take the picture, failed to obtain written consent from the patient (as required by HIPAA practices), used his personal cell phone during working hours and failed to use the hospital's Polaroid camera in the ER to document his concerns. More importantly, the plaintiff failed to identify any specific public policy which the hospital violated in terminating his employment. Among other things, he failed to identify any required standard of medical care that would cover the amount of tape used to attach a catheter to a patient's leg or reporting possible patient abuse or maltreatment in a hospital setting.


The plaintiff argued that his situation was analogous to other situations where courts have found violations of public policy. However, the court refused to accept analogous situation as sufficient to satisfy the "clarity" element of a public policy wrongful discharge claim. Accordingly, the Court rejected the plaintiff's attempt to analogize his situation to one where an employee is fired for consulting with an attorney. Similarly, the court rejected the argument that his situation was analogous to firing an employee for cooperating with a criminal investigation of the employer because there was never any criminal investigation in this case and the plaintiff never alleged that the alleged mistreatment of the patient was criminal. Likewise, the plaintiff could not analogize to a situation where the employee was fired to testifying against the employer because there was never any legal or administrative proceeding in this case. Finally, the court refused to recognize an applicable public policy from the nursing home patient's bill of rights because the patient was in a hospital, not a nursing home, and there is a statutory remedy in nursing home abuse situations.


NOTICE: This summary is designed merely to inform and alert you of recent legal developments. It does not constitute legal advice and does not apply to any particular situation because different facts could lead to different results. Information here can change or be amended without notice. Readers should not act upon this information without legal advice. If you have any questions about anything you have read, you should consult with or retain an employment attorney.