Updates in the Complicated World of Employee Privacy

Seyfarth Synopsis: With the availability of new vehicle GPS devices and smart phone tracking applications, employers need to be mindful of employee privacy rights when using location technologies in the workplace.

It Doesn’t Take A Magellan To Map Routes Anymore

Employers now have available the technology that concerned parents of wayward teenagers have often wished for. Thanks to technological advances, one can now monitor another’s movements in ways that could only be imagined a couple of decades ago.

The benefits of tracking employee activity through GPS (Global Positioning Systems) include: (i) verifying routes and locations for mobile employees, particularly in the transportation or delivery industry, (ii) ensuring that employees are not violating traffic laws, (iii) monitoring employee overtime, (iv) verifying that employee time records are accurate, (v) locating company-owned stolen vehicles, and (vi) verifying that employees are not misusing company vehicles by, for example, driving to inappropriate locations or at inappropriate times.

With the advent of GPS smart phone applications, companies have begun to install GPS tracking apps on company-issued smart phones, which monitor not only the employees’ transportation in vehicles, but may allow for out-of-vehicle monitoring as well.

So with all of this great new technology, where (if at all) must employers draw the line when it comes to tracking employee mobility?

Navigating The Nexus of Privacy and Employer Needs

At the center of the debate on the lawfulness of tracking employees via GPS is the employee’s right to privacy vs. the employer’s need for productivity and business-related information. California has a strong tradition of protecting individual privacy rights. Article I, Section 1 of the California Constitution provides that “all people” have an inalienable right of privacy. This provision applies to private as well as public employers. California employers thus must be wary of infringing on employee privacy by learning too much about private time and lawful off-duty activities.

Litigation Beginning To Moovit Related To GPS Tracking

Of major importance is whether the GPS tracking information is related to job performance: if it is not, then cataloging off-duty activities may violate constitutional rights to privacy. Consider this recent cautionary tale: In Arias v. Intermex Wire Transfer, an employee sued her former employer, claiming she was fired for uninstalling a GPS tracking app from a company-issued smart phone that was tracking her movements even when she was off the clock. The employee objected to being tracked on her own time and compared the GPS to the ankle bracelet placed on someone under house arrest. She sued for wrongful termination, invasion of privacy, unfair business practices, retaliation, and other claims, seeking over $500,000 in damages. This suit, privately settled, is likely not the last of its kind.

An additional source of legal restriction on remote employee monitoring is California Penal Code section 637.7, which prohibits the use of “an electronic tracking device to determine the location or movement of a person” via a “vehicle or other moveable thing” unless “the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.” So while an employer arguably can install GPS tracking on company-owned vehicles, and even on employee-owned vehicles used for work purposes (with advance consent as we’ve blogged previously), there is currently no such carve-out allowing employers to require GPS tracking through smart phones.

In What Waze Should Employers Be Mindful About Using GPS?

A California employer using GPS to monitor employees should have policies carefully considering employee privacy issues. As with other kinds of workplace monitoring (e.g., cameras in the workplace, use of email and Internet systems), we recommend (a) full disclosure to employees, and (b) obtaining employee consent, including implementing a separate GPS tracking policy. The policy should:

  • Outline the legitimate business reasons for using GPS tracking (e.g., increasing operational efficiencies, improving customer service, maintaining accurate timekeeping records, improving safety).
  • Provide clear notice of the company’s right to monitor employee locations while the employee is using company-owned property, describe when and how employees should expect to be monitored, and tell employees they should have no expectation of privacy while using the company property.
  • Explain how the employer will use and safeguard data collected.
  • Notify the employee of the consequences that could lead to discipline for disabling a GPS device without the employer’s permission.
  • Communicate the policy to all employees, and have them provide written acknowledgement of their receipt and understanding of the policy.

Other best practices to consider include:

  • Limit monitoring of activity to work hours, and monitor an employee’s location only for a specific business purpose in compliance with the GPS tracking policy. The collected data should not reveal details of the employee’s private life.
  • Limit access to the GPS tracking information to company personnel who have a clear business need to know that information.
  • Make sure that you store any GPS-related data securely.
  • Where employees are unionized, consider whether there is a duty to bargain before implementing the use of GPS tracking, depending on the language of the contract and the parties’ course of dealing. The NLRB has advised that a complaint would issue when an employer failed to bargain before unilaterally implementing a vehicle data recorder system to monitor employee compliance with driver safety rules.

Workplace Solution: Because this area of law is still developing as new technologies emerge, employers should continually revisit their GPS policies for compliance. We monitor developments in this area and will provide our readers with further information as it becomes available. In the meantime, if you have any questions, please contact the author or your favorite Seyfarth attorney.

Edited by Coby M. Turner.

Seyfarth Synopsis: Within the last few years, the California Legislature has amended laws related to an employee’s right to inspect personnel records, intending to ensure employees have access to those records. Since then, employers have seen more such requests, claims made before the Labor Commissioner, and even lawsuits over production of personnel files. We offer here some tips on how to comply.

What Is This Letter and What Do I Do About It?

Your company receives a letter from a former employee (or a lawyer) asking to inspect the personnel file or “employment records.” What (if anything) should you do in response?

How and when a California employer responds to these requests can have legal consequences. That’s right—employers can be sued (or even face criminal liability) over how they did, or did not, respond to personnel file requests.

The proper response depends, first, on what the employee is asking to inspect. In California, three principal statutes govern employee requests to inspect personnel records—Labor Code §§ 1198.5, 226, and 432. See below for details.

Labor Code § 1198.5

Section 1198.5 says that employees (and former employees) have the right to inspect personnel records maintained by the employer “related to the employee’s performance or to any grievance concerning the employee.” Employers must allow inspection or copying within thirty (30) days of the request, which can be made by the employee or their representative (often an attorney). That time period can be extended by five (5) days by mutual agreement.

Covered documents: Under the terms of the statute, it appears that documents such as performance reviews, commendation letters, disciplinary notices (“write-ups”), corrective action plans, and complaints about the employee would likely be covered.

The language in Section in 1198.5 is broad; it uses the terms “related to” and “concerning.” As a result, determining exactly what other documents might be covered can be a challenge. But the Labor Commissioner has issued some guidance on its website on what might be included in a “personnel file,” including, in addition to the above, things like an employment application, notices of leaves of absence or vacation, education and training notices, and attendance records. Unfortunately, there is no appellate case interpreting the scope of the current statutory language. So the overall scope of the statute still remains an open-ended question.

Nevertheless, the statute excludes certain files. For most employers, those files are (1) records about a criminal offense, (2) letters of reference, and (3) ratings, reports or records obtained before the employee’s employment, prepared by identifiable examination committee members, or obtained in connection with a promotional examination. In addition, employers can redact the names of any non-supervisory employee mentioned in the requesting employee’s file.

There are also situations when the statute does not apply. For example, if an employee (or former employee) files a lawsuit that “relates to a personnel matter” against the employer, then the right to inspect or copy the records ceases during the pendency of the lawsuit. The inclusion of this provision strongly suggests that Section 1198.5 is not a replacement for broad civil discovery.

What happens if I forget to produce records in time? If the employer does not permit the inspection or copying of these records in time, the employee may bring an action to obtain a court order (injunction) for the employer to comply with the statute. Employees are also entitled to a statutory penalty of $750 AND an award of attorneys’ fees and costs for bringing the action. And failure to comply is a criminal infraction. Ouch!

Labor Code § 226

Section 226 requires California employers to furnish employees with itemized wage statements that show nine (9) specific categories of information, such as all hourly rates, hours worked, gross wages earned, etc. The employer must provide these wage statements at the time employees are paid or semi-monthly. The specific information required and the entire text of the statute can be found here.

Covered documents: The scope of this one is easier than Section 1198.5. In addition to requiring itemized wage statements, this section also requires the employer to produce those wage statements to employees on request or a computer-generated report that shows all nine (9) categories of information required. Employers must make the records available to the employee within twenty-one (21) days.

What happens if I forget to produce records in time? Section 226 has remedies similar to those available under Section 1198.5. Section 226 also authorizes the employee to sue for a court order requiring the employer to produce the information and also a penalty of $750, and employees can also recover attorneys’ fees for bringing the lawsuit. Violation of the statute is also a criminal infraction. But unlike Section 1198.5, there is no exception for pending litigation. Yikes!

Labor Code § 432

Section 432 applies to any document that an employee (or job applicant) “signs” that is related to obtaining or holding employment. Upon request, the employer must provide those documents. Fortunately, this statute is simpler than the others. There is no timeline for production and there is no private right of action to enforce compliance.

But that does not mean that employers should ignore requests under this statute. As a practical matter, documents covered by this section can also be covered by Section 1198.5 (i.e., signed performance reviews or signed disciplinary write-ups). More importantly, failure to comply with such a request is a misdemeanor. And there is also no exception for pending litigation. Wow!

Covered documents: As mentioned, Section 432 covers any document the employee signed related to “obtaining” or “holding” employment. Examples include job applications, handbook acknowledgments, arbitration agreements, job descriptions, and any signed policy acknowledgments (anti-harassment, retaliation, discrimination, at-will employment, meal/rest break polices, etc.).

Workplace Solutions

Employers often wonder if they have to produce “every” record about an employee in response to these requests. As the statutes indicate, the answer is “no”— only documents that fall within the categories requested need to be produced. Employers must also remember to protect other important rights. Indeed, personnel issues often implicate attorney-client privilege, attorney work-product, proprietary information, and privacy issues. As a result, responding to personnel file requests often requires a case-by-case approach.

If you would like assistance in ensuring your company’s compliance with a personnel file request, or if you have any questions raised in this post, then please do not hesitate to contact the author or any other member of Seyfarth’s Labor and Employment Group.

Edited by Coby M. Turner.

Seyfarth Synopsis: Social media information—pictures, status updates, location markers, “likes,” groups, and associated friends, all from the owner’s perspective and documented in real time—can be a  goldmine of information to defend employment lawsuits. Read on for thoughts on how to extract and refine this information, and what limits to observe in using it.

Social media and discovery is an area rife with potential drama: pictures of a plaintiff vacationing in Hawaii after he’s called in sick? Yes, please! How and should we access such juicy information?

Litigation-related discovery of social media content is generally permissible. The main problem is that—both in formal discovery and in other forms of fact-finding—there isn’t a complete picture on how far one can go to obtain it. Below are some tips to help employers stay in the friend-zone while using social media to their advantage in litigation.

Go Narrow! (At Least At First)

In a frequently cited case on the matter, Mailhoit v. Home Depot U.S.A. (C.D. Cal. 2012), the court debated how a defendant could use social media in litigation, and ultimately decided that there is a limited right to discover a party’s social media content. Mailhoit allowed an employer to make “particularized requests”—in that case all social media communications between the plaintiff and her current or former co-workers in any way referring to the lawsuit. But Mailhot said the employer was not entitled to look through the entirety of the plaintiff’s social media information in the hope of “concocting some inference about her state of mind,” and refused to permit other proposed, broader, discovery requests.

But even this limited discovery can be important: once relevance is shown, courts may be more likely to permit additional discovery. Mailhoit suggested that if social media posts are relevant, additional discovery may proceed.

At least one non-California court has already taken this step. In Crowe v. Marquette Transportation Company Gulf-Inland, LLC (E.D. La. 2015), the court ordered an employee to produce an unredacted copy of his entire Facebook page, even though the employee protested that he had deactivated his account. The employer was even entitled to analyze his Facebook messages, which potentially contained a lot of useful information! If a California court can be persuaded that social media communications in some way relate to claims or defenses in the litigation, then they, too, may yield to discovery.

Private vs. Public: Gimme, Gimme!

We know that in California, since 2013, we cannot force employees or job applicants to turn over social media passwords. The California legislation on this point reflects a public policy that recognizes our unique constitutional right of privacy.

But what about publicly available information? California courts agree that there can be no expectation of privacy in publicly posted information on social media websites. See Moreno v. Hanford Sentinel, Inc. (Cal. App. 2009).

This means if the privacy setting on an employee’s Facebook posts is “Public”(i.e., available to anyone on or off Facebook), then anything posted is fair game for discovery. The same goes for publicly available Twitter tweets, publicly available Instagram posts, publicly available LinkedIn info, MySpace page information, etc. Presumably, if someone publicly posts elsewhere (e.g., Reddit, 4Chan, personal blogs), with a link it to the poster’s identity, then those posts may also be accessed and used.

Save, Save, Save!

Social media, like life itself, is evanescent.  Publicly available, incredibly useful information can be here one day, gone the next. Do not rely on information staying up once it is up. To best preserve currently available information, screenshot the information, or print to .pdf. Then save and wait. It doesn’t get much better than seeing the face of a plaintiff when confronted with a photo he thought he had deleted. You know the one: featuring the plaintiff himself, bleary eyed and hoisting a beer, an hour before his scheduled work shift. Or the one showing him wearing stolen merchandise. Or the one showing him partying it up while supposedly suffering from “emotional distress.”

Fake-Friending and Professional Responsibility: Don’t Be a 🙁 

“Fake-friending” is when one creates a fake profile to add a person on Facebook or other social media with the aim of gaining full access to the person’s more limited profile. Rules of professional responsibility for lawyers discourage this practice—(the American Bar Association has recognized at least four areas of concern: (1) confidentiality, (2) truthfulness in statements to others, (3) responsibility regarding non-lawyer assistants, and (4) misconduct). Conducting covert research through fake-friending may also violate California Rules of Professional Conduct, such as Rule 2-100, which forbids “communication with a represented party.” Non-attorneys may be subject to similar ethical responsibilities.  So leave intentional fake-friending out of your litigation arsenal.

Nonetheless, it is not always clear what the limits of these rules mean in practice. For example, would it be OK to accept the help of a third party who has access to shared information (for example, the plaintiff’s co-worker, who has added the plaintiff as a friend online)?

The San Diego County Bar Association released an Opinion (2011-2), stating: represented “parties shouldn’t have ‘friends’ like that and no one – represented or not, party or non-party – should be misled into accepting such a friendship.” Specifically, the opinion states that if the motive is to obtain information about the litigation, then this conduct can violate Rule 2-100 and constitute deceptive conduct forbidden by the California Business and Professions Code.

Outside of California, other jurisdictions have found that it would be unethical even to ask a third person, whose name a hostile witness will not recognize, to obtain social media information, even if the person states only truthful information.

The Future of Social Media and Regulation: “It’s Complicated”

New apps, social media websites, and ways to share information emerge every day. Unfortunately, the law and public policy often lag behind advances in technology. In some states, we’re already seeing some peculiar stuff going on. In New York, courts have since 2013 held that some service via social media can satisfy due process. In one early case, Federal Trade Comm. v. PCCare247 Inc. (S.D.N.Y. Mar. 7, 2013), the court noted: “history teaches that, as technology advances and modes of communication progress, courts must be open to considering requests to authorize service via technological means of then-recent vintage, rather than dismissing them out of hand as novel.” New York courts have also indicated that social media may be considered an effective means of providing notice to potential class members in class actions. See Mark v. Gawker Media, LLC (S.D.N.Y. 2016).

Workplace Solutions

If you find yourself in a pickle—“to like or not to like?”, “to friend or not to friend?”, “to snoop or not to snoop?”—remember that a friendly neighborhood Seyfarth attorney is just a poke away.

Edited by Coby M. Turner.

Seyfarth Synopsis: Hernandez v. Sprouts Farmers Market, Inc., a case stemming from a phishing scam, emphasizes the need for California employers to implement comprehensive data protection and data breach notification policies and practices for personal employee information under the CDPA.

A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?

California’s Data Protection Act—“Army Of One”

In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.

The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.”

The CDPA takes a very broad view of personal information, defining the term to include:

  • An individual’s signature,
  • A person’s physical characteristics or description,
  • Information collected through an automated license plate recognition system, and
  • An individual’s employment and employment history.

The CDPA also requires that if a company experiences a data breach and decides to offer “identity theft prevention and mitigation services” to affected persons, then it must provide these services to affected persons for at least 12 months and at no cost. Additionally, unlike many other state laws about data breaches, the CDPA requires a company affected by a data breach to submit a sample of the data breach notification letter to the California Attorney General.

“Vultures” Go Phishing At Sprouts

What’s Phishing? In a phishing scam, a fraudulent email message appears to be legitimate, and often directs one to a spoofed website in order to dupe the recipient into divulging private personal information. The perpetrators then use this information to commit identity theft.

In March 2016, a Sprouts employee received an email purportedly from a Sprouts senior executive, asking for the 2015 W-2 statements of all Sprouts employees (which contain social security numbers). In reality, the email was sent by a third-party and was a phishing scam.

When the Sprouts employee received the phishing email, the W-2 forms of thousands of current and former employees were compiled and sent to the third-party. Sprouts later realized the error and notified the affected individuals of the data breach.

Shortly afterwards, a former Sprouts employee filed a class action lawsuit against the company, alleging violations of the CDPA and the California Unfair Competition law. The suit alleges essentially that the employer should have had procedures and policies in place to protect employee information from a phishing attack because such attacks are commonplace in the information age. A First Amended Complaint was filed on May 25, 2016, and Sprouts has not yet filed its response.

Sprouts highlights that it is important for California employers to have a data protection and data breach notification plan. Such a plan is instrumental to head off attacks by hackers and bad actors seeking private employee data to commit identity theft.

“Anything But Me”—What’s An Employer To Do?

The California Attorney General has issued annual reports analyzing data breach notices and providing recommendations to companies and employers for implementing data breach plans, including recommending that companies and employers:

  • Implement the Center for Internet Security’s Critical Security Controls as the “minimum level of information security” if they handle personal data.
    • The Attorney General has stated that“[t]he failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
  • Implement “strong encryption” for personal information on laptops and other portable devices, and consider full encryption on desktop computers when not in use.
  • Encrypt digital personal information when moving or sending personal information out of their secure network.
  • Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices.
  • Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.
  • Provide training to employees and contractors on data security controls.
  • Improve the readability of breach notification letters.

Seyfarth has ample experience assisting companies and employers to develop these protocols. If you have any questions about implementing a CDPA compliant data protection and data breach notification plan for employee personal information, please reach out to a member of Seyfarth’s Global Privacy and Security (GPS) Team.

Edited by Coby M. Turner.

iStock_000006895318_LargeWe all know that social media and privacy issues in the workplace can be a bone-chilling proposition.  Before you go snooping into your employees’ social media accounts to see whether it’s filled with tricks or tweets, please be sure to review our frightfully informative 2015-2016 Edition of the Social Media Privacy Legislation Desktop Reference.  Without it, one never knows what kind of legislative ghouls and goblins might come back to haunt you. Please click here to learn more.  It’s a scream!

Picture this scenario:  you run a private residential facility for abused children.  Late one night, one of your computers is used to access pornographic web-sites and other inappropriate material in violation of several well-publicized workplace policies.  After further investigation, you learn that the inappropriate computer usage occurred on several occasions, but was limited to that one computer, which is located in an office shared by two day-shift employees in the administrative building.  Several employees have access to the building and could have used the computer on the nights in question.  Concerned that the culprit might be a staff member who works with the children, you hatch the perfect plan to catch him or her:  place a hidden camera in the office!  Of course, you don’t want to publicize its placement.  That would defeat the purpose and the guilty party would simply find another computer to use.  Besides, you plan to activate the camera only at night, several hours after the day shift has left the facility.  The daytime occupants of the office won’t care that it’s there.  Genius!

Did we mention that you are operating this facility in California?

The above scenario mirrors the facts of a case brought by, you guessed it, the two day shift employees who brought suit alleging that the placement of the hidden camera in their office without their knowledge or consent violated their right to privacy under both common law and the California Constitution.  What?  Are you telling me that merely placing a camera in an office, without even recording the occupants during business hours, is unlawful?  Fortunately, the California Supreme Court answered that question with a resounding “no” in Hernandez v. Hillsides, Inc., 47 Cal. 4th 272 (2009).  However, the case makes clear that whether or not you can surreptitiously videotape depends on the facts and circumstances unique to your workplace, and you must carefully evaluate when, where, why and how you can do so in order to minimize your liability.

For starters, in California, employees have a constitutional right to privacy which creates at least a limited right of action against both private and government entities, which is in addition to other tort actions, like unlawful intrusion.  California has a well-developed body of law prescribing the various elements that a plaintiff must prove in order to succeed on an invasion of privacy claim; however, when considering secretly videotaping your employees, these are the big questions you have to ask:

Do employees have a reasonable expectation of privacy in the area that is going to be recorded?  Bathrooms, locker rooms or other areas where reasonable persons would agree employees rightfully expect privacy are strictly off-limits.  However, hallways or entryways where employees interact with the public and one another and expect that their activities can and will be viewed by others are generally areas where a reasonable person would not have an expectation of privacy. 

Do you have a good faith legitimate business reason for secretly videotaping?  Harassment, blackmail or prurient curiosity are never valid reasons for secretly recording your employees’ actions.  On the other hand, the court found the reason articulated by Hillside in our case above, which was to prevent a rogue employee with access to children in a residential facility from accessing pornographic material at the facility, was a legitimate reason that did not offend societal standards.

Is the taping conducted in a reasonable manner, or is it offensive?  Even if secret videotaping is conducted for legitimate business reasons in areas where employees have no reasonable expectation of privacy, the manner in which the recording is conducted could still subject an employer to a breach of privacy claim.  For example, if a camera is zoomed in on a female employee’s cleavage while she’s conversing with a customer, or an employees’ back-side as he/she walks down the hallway, what otherwise would have been acceptable becomes arguably offensive and unacceptable.

Workplace Solutions: In the end, whether, when, why, and how to surreptitiously videotape your California employees should be decided on a case by case basis after full review of the factual circumstances.  Most videotaping does not need to be secret and disclosing your intention to do so may prevent employees from engaging in behavior that violates your policies. 

If you determine videotaping is appropriate, determine whether the purpose of filming can be accomplished with the employees’ knowledge or whether secret taping is required.  If notice is appropriate, consent to the taping is recommended, but notice will typically suffice, especially where the cameras are prominently displayed and in common areas.  Placement of signs, such as “smile, you’re on camera,” in areas where videotaping is taking place is a common way to provide notice of taping.

Drug use in California can cause headaches for employers.  Balancing employee privacy interests against safety concerns forces employers to make tough choices with little guidance.  Legal drug testing of existing employees is so limited that most drug use won’t be detected until after an accident.  With increasing support for legal medical marijuana, many employers have struggled to determine how to respond to applicants and employees who test positive.  Now, with recent case law and the FEHC’s final regulations, employers finally have the support they need.

A Puff of History on Legalized Medical Marijuana  In 1996, California legalized prescription medical marijuana use. It did not, however, address use in the employment context.  California employers had no guidance as to whether or to what extent an employee who tested positive had to be accommodated. 

This left two main questions:

  • Does an employee with a “medical marijuana card” get a pass if he or she fails a drug test because in that context it’s no longer considered an “illegal drug?”
  • Does the fact an employee uses the drug to treat a potentially disabling condition make allowing the use of medical marijuana a “reasonable accommodation?” 

In 2003, the California Legislature added more smoke by saying the Compassionate Use Act does not require any accommodation of medical marijuana use on the property or premises of any place of employment or during the hours of employment.  This implied that an employer must not interfere with an individual’s use of medical marijuana beyond working hours and off the employer’s premises.  Thus, hypothetically, if Joe the forklift operator got stoned in his car right before work to dull his arthritis pain, it was not clear whether his employer could do anything about it.

The Courts Weigh In  Employees got a buzz kill in 2008, when the California Supreme Court concluded in Ross v. Ragingwire that an employer could deny employment based on an individual’s off-duty, off-premises use of marijuana without violating California’s Fair Employment and Housing Act (FEHA) or the constitutional right to privacy.  The Ragingwire employee had his offer rescinded after he failed a drug test, but he had a prescription for marijuana.  He claimed disability discrimination for failing to reasonably accommodate him, but the Court rejected it, concluding that the Act doesn’t limit an employer’s right to enforce its policies regarding failing a drug test, even when the drug is legal (in California) medical marijuana.  It is important to remember that, notwithstanding the Act, all marijuana use is still illegal under federal law. 

Legislative and Regulatory Reaction  Many predicted the Legislature would step in to protect employees using medical marijuana.  In fact, several bills suggesting employment protections similar to those for other prescription drugs died in session. 

Then, in one of its last acts before being dissolved in December 2012, the Fair Employment & Housing Commission added to the discussion by inserting the following language into the new disability regulations: 
                        An applicant or employee who currently engages in the use of
                        illegal drugs or uses medical marijuana is not protected as a
                        qualified individual under the FEHA when the employer acts on
                        the basis of such use, and questions about current illegal drug use
                        are not disability-related questions. 

With that emphatic statement by a binding rule-making authority, employers now can feel confident in denying employment to applicants who test positive for marijuana, even with a prescription.

What about the underlying condition?  It gets tricky, though, when the smoker explains positive test results by mentioning a medical condition that led to the marijuana use.  The employer could still choose not to hire the applicant, or to fire the employee.  However, this decision would be the least risky when the employer applies a zero tolerance policy for marijuana use across the board, and when the position is safety-sensitive (like operating machinery).  The key is to make sure that decisions are made based only on the drug test results, and not on the underlying medical condition.  But, depending on the circumstances, the employer may want to explore other options.  For example, if an applicant for an office job fails a drug test due to off-duty medical marijuana treatment for cancer, the employer may decide to hire anyway — the job is not safety-sensitive and there would be a risk of being sued for discriminating on the basis of the medical condition (cancer) if the applicant were not hired. 

Workplace Solutions When the position is safety sensitive or the company wants its policy to be absolutely zero tolerance, we recommend reviewing to ensure the policy is clear and states that failure of a post-offer drug test will lead to rescinding of that offer.  However, if the policy is more lax and the position is not safety sensitive, consider the impact of accommodating some use if it is to treat a protected medical condition and does not impact the work. 

Also, be mindful that many employees assume if they have a medical marijuana card, they can use without restriction.  Train managers to spot the symptoms of drug use so if employees are working under the influence, the proper steps can be taken.