Skip to main content
IMA Executive News & Views Blog

Welcome to the Rock and the Hard Place

Waltz, Palmer & Dawson, LLC is an IMA B2B Partner

How Can You Protect Your Business’ Data Without Violating Employee Rights?

Cyber security is a hot topic involved in all aspects of our lives, especially in our work and businesses. Everyone wants to remind you that your data is at risk and that more data breaches come from employee activity than any other area. From executives, chief officers, controllers, and human resource employees, companies are writing strict employee policies trying to protect their Confidential Information. “You cannot disclose any confidential or sensitive Company information without getting permission!” or “No posting of Company information in public forums (i.e. Facebook, Twitter, etc.).”  Does this sound familiar?

Cyber Security Protections Versus Employees’ Rights: How to Stay in Compliance with Both

Whether these policies actually help the problem is questionable, but one thing is definite – these policies may violate laws intended to protect employees and can leave you open to action being taken against your Company by the National Labor Relations Board (NLRB).

Do You Know Who the National Labor Relations Board (NRLB) Is and Are You in Compliance?

The NLRB believes that some confidentiality agreements and privacy policies infringe on an employee’s right to “engage in protected concerted activities.” Per the NLRB website, a single employee can engage in a “concerted activity” if he or she involves co-workers before acting, or acts on behalf of others. Therefore, an employee’s posts on her Facebook wall can be considered a concerted activity and be protected under the NLRB.

So, what can a business and its employees do? Well the NLRB has tried to clarify that a bit of for employers. While it’s not black and white, here are some guidelines to follow:

Social Media Policies


  • No employee can publish the Company’s confidential or sensitive information.
  • No employee can reference Company as your employer or refer to Company’s website without first getting permission.
  • No employee can post anything that may injure the image or reputation of the Company.


  • Employees are encouraged to express themselves in a respectful manner while on social media.
  • If you identify yourself as a Company employee or discuss matters related to the Company’s business on social media, please put a disclaimer in a prominent location on your page. For example, “The view expressed on this web site/blog are mine alone and do not necessarily reflect the views of my employer.”

Confidentiality Agreements


  • Never publish or disclose Company’s or another’s Confidential or other Proprietary Information.
  • Discuss work matters only with other Company employees who have a specific business reason to know or have access to such information…Do not discuss work matters in public places.
  • Confidential Information is all information in which its unauthorized disclosure could adversely affect the Company’s interests, image and reputation or compromise personal and private information of its members.


  • Do not disclose confidential financial data, or other non-public proprietary Company information. Do not share Confidential Information regarding business partners, vendors or customers.

Along with these policies potentially violating the National Labor Relations Act, these policies can also violate the Illinois Right to Privacy in the Workplace Act.

Are You Aware of the Illinois Right to Privacy in the Workplace Act? Are You in Compliance with the Illinois Right to Privacy in the Workplace Act?

The Right to Privacy in the Workplace Act says:

“… it shall be unlawful for an employer to refuse to hire or to discharge any individual, or otherwise disadvantage any individual, with respect to compensation, terms, conditions or privileges of employment because the individual uses lawful products off the premises of the employer during nonworking hours.”

That means you cannot take action against an employee for lawfully posting on social media during nonworking hours. Below are some guidelines on what this actually means from a practical sense.


–           Can’t restrict employee lawful activities “off duty”

–           Can’t request or require any employee or prospective employee to provide any password or demand access to their social networking website


–           Restrict activities at work, including internet use, email, and social media policies

–           Download programs that monitor computer/internet usage (must give notice)

So, does that mean you can’t create policies to protect your Confidential and/or Proprietary Information or how employees post about your company or their co-workers on social media platforms? No, it doesn’t. The policies discussed in the first half  of this article still apply and you can create polices about how employees treat each other on social media. You can even take action against harassing or discriminating conduct between co-workers on social media that was made during their off hours. Why? Because of the key word “lawful”. Harassment and discrimination is not lawful, so it can be regulated – within reason. Consider this sample policy from the NLRB:

While your free time is generally not subject to any restriction by the Company, the Company urges all employees not to post information regarding the Company, their jobs, or other employees which could lead to morale issues in the workplace or detrimentally affect the Company’s business. This can be accomplished by always thinking before you post, being civil to others and their opinions, and not posting personal information about others unless you have received their permission. You are personally responsible for the content you publish on blogs, wikis, or any other form of social media. Be mindful that what you publish will be public for a long time. Be also mindful that if the Company receives a complaint from an employee about information you have posted about that employee, the Company may need to investigate that complaint to ensure that there has been no violation of the harassment policy or other Company policy. In the event there is such a complaint, you will be expected to cooperate in any investigation of that complaint, including providing access to the posts at issue.

This policy does not violate the Right to Privacy in the Workplace Act because it reminds employees that they are still subject to the Company’s harassment and discrimination sections of the employee handbook and it also focuses on being respectful to fellow employees and does not restrict their lawful interactions.

Navigating the world of employment laws is tricky, but when it comes to protecting your Company data one thing is clear, do not trample on your employees’ rights in the name of protecting your business from a cyber breach. You will have jumped out of the frying pan and into the fire.


To view the original article, click here.