Your Employer Can Monitor You While You Work From Home—Should They?

By: Joshua Waugh

Since “pandemic life” began, as many as 40% of American workers have worked from home. If you’ve been lucky enough to trade the crowded bus or the gridlocked highway for the shorter bedroom-to-laptop commute, chances are you’ve wondered just how closely your employer is watching you. The truth is that telework, for all its benefits, also has a major downside: near limitless opportunity for high-tech surveillance. And while it is clear that employers have the legal capability and the technology to monitor their employees, it’s less clear that employee surveillance is actually a good idea at all.

Can my employer really monitor me?

It is no secret that American privacy and technology laws are often lacking. At the federal level, the primary law dealing with electronic privacy is the Electronic Communications Privacy Act (ECPA), which was passed in 1986. The law is so old that Title I of the Act only contemplates a third party’s “interception” of a message sent by “wire, oral, or electronic communication”; the law doesn’t address the possibility of accessing stored communications, such as email, post-transmission.

Furthermore, Title I of the ECPA has been interpreted to include a carveout specifically allowing employers to monitor employees as long as the employer can show a legitimate business purpose. The ECPA also permits employers to electronically surveil employees upon their consent, which, given often imbalanced employee-employer power dynamics, is not great for the ordinary employee.

Title II of the ECPA, or the Stored Communications Act (SCA), provides more protection to employees, though the law is still just as dated as Title I. Under the SCA it is fairly well established that your employer can’t log in to your personal email without your permission. So rest assured, your employer cannot see the thousands of unread advertising emails in your inbox unless you give them access.

All of that said, there is not much legislation on electronic privacy at the federal level. That may seem surprising considering we’ve seen privacy controversy after privacy controversy from practically every big tech company in recent years, but electronic privacy regulation seems to be generally left to the states. The end result is that only Californians (and to a lesser extent Coloradans and Virginians) enjoy broad statutory protections against electronic employer surveillance. In most of the other states, as long as you are using an employer’s device or network, your employer may surveil you as much as they’d like. And surveillance software is readily available, including keyloggers that record every keystroke you make, activity monitors, and even software that records every website or app you access on the device. In fact, if your workplace is using the Microsoft Office 365 Suite, your employer is already able to monitor and analyze your work activity.

Where do we go from here?

If you’re concerned about your general lack of privacy rights living in America, you are not alone. Researchers have published studies showing that extensive employer surveillance can breed distrust among employees and such surveillance can be a significant hindrance on worker productivity and other positive performance outcomes. The feelings of distrust are even stronger when employees discover that they were being surveilled without their knowledge.

Despite evidence suggesting employee surveillance may have negative effects, surveys show that 62% of executives planned to use monitoring software in 2019, and that number is certain to have grown during the pandemic work-from-home era. Meanwhile, we’re also in the midst of a radical transformation in the labor force—the U.S. Bureau of Labor Statistics reported that 2.9% of the entire U.S. workforce, 4.3 million people, quit their jobs in August 2021. By all appearances, the Great Resignation is accelerating as 4.4 million workers went on to quit during September 2021, topping August’s record numbers. At a time when people are rethinking their relationship with work, struggling with burnout, and dealing with burdensome household issues such as child- and elder-care, employers should spend less time secretly surveilling their employees, and instead put effort into employee engagement. Essentially the opposite of paranoid surveillance, companies should engage with their workers by providing flexibility and building trust. Employee engagement is more likely to boost productivity than surveilling, and more importantly, in today’s climate, has been shown to increase employee retention. Ultimately, under current U.S. law, your employer can surveil you to its heart’s content in most states—but you can also resign if you feel your privacy rights have not been respected. As more and more in the labor force decide to do so, we’ll just have to wait and see how legislators respond.

Patents 101: Making Cents Off Ideas

By: Mark Stepanyuk

Patent Law and Section 101 Overview

The Patent Act was enacted pursuant to Article I, Section 8, Clause 8 of the Constitution, which allows for Congress “[t]o Promote the Progress of Science and useful Arts, by securing for limited Times to  . . .  Inventors the exclusive Right to their  . . .  Discoveries.” This utilitarian basis underpins the modern patent system as codified in Title 35 of the United States Code. Among other requirements, to secure a patent, the subject matter of the patent must be eligible under Section 101. The Patent Act lists subject matter eligibility for patentability as the first step in the patent process, and some have even argued that it would be inefficient not to apply the subject matter patentability screen first in assessing the patentability of an invention or discovery. 

35 U.S.C. Section 101 states that “[w]hoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.” Congress intended for the eligible subject matter to “include anything under the sun that is made by man” (i.e., to be as broad as possible). Indeed, historically, the Supreme Court has concocted only three exceptions to this otherwise broad provision concerning subject matter patentability: laws of nature, physical phenomenon, and abstract ideas. 

Behind this subject matter patentability screen is the basic assumption that granting a patent on these relatively ineffable concepts would ultimately not “[p]romote the Progress of Science and useful Arts.” That is, since part of the patent bargain between an inventor and society includes the grant of a 20-year monopoly (from the date of filing), if that patent was given to an inventor for any of these conceptual exceptions, society would be getting the short end of the stick in the exchange. In Funk Brothers Seed Co., the United States Supreme Court uses fancy language to describe these concepts as “part of the storehouse of knowledge of all men” and “free to all men and reserved exclusively to none,” but functionally, the worry is one of pre-emption. As echoed by the Court on many occasions, the fundamental concern is inhibiting future innovation by “improperly tying up the future use of laws of nature,” and this reasoning is consistent with the utilitarian framework of the constitutional provision underpinning the patent system in the first place.

Section 101 and its Ambiguity

Since the dawn of the software and biotech age, it has become more difficult for courts to distinguish between patentable and unpatentable subject matter under section 101. Although courts have consistently struggled to assess the risk of preemption directly or indirectly, that task has become especially tricky for relatively novel, emerging, and dynamic industries such as software and biotechnology. From Mayo and Alice, the Supreme Court has devised a two-step test to determine patent subject matter eligibility under 35 U.S.C. § 101: the court determines (1) whether the claims at issue are directed to one of those patent-ineligible concepts; and if so, the court asks (2) what else is there in the claims? To answer that, the court considers elements of each claim both individually and “as an ordered combination” to determine whether the additional elements “transform the nature of the claim” into a patent-eligible application. In Alice, the court said that this second step amounts to a search for an “inventive concept,” and a court commonly ascertains an inventive concept by asking whether the step was “well-understood, routine, and conventional to a skilled artisan.” Berkheimer clarified that although patent eligibility is a question of law, whether the inventive concept is “well-understood, routine, and conventional to a skilled artisan” is a question of fact, leading to less invalidation of patents in early stages of litigation. As it stands, this Alice has proven to be quite confusing. 

What does it mean for a claim to be directed to a patent-ineligible idea? What exactly constitutes an inventive step? Nobody knows. The current state of section 101 jurisprudence is highly unpredictable and the main determinant for patent eligibility in this area seems to be the claim drafting skills of the prosecutor and the skills of the litigator in the courtroom. Courts have noted that since essentially every routinely patent-eligible invention of physical products and actions involve, in various degrees, some law of nature, natural phenomena, or abstract idea, it’s difficult to draw the line as to when that claim amounts to nothing more than ineligible subject matter. Some courts have dealt with this by considering the claims as a whole and asking whether their character is directed to the excludable subject matter. Again, this is an evolving area of law with no clear answers. In fulfilling patent law’s constitutional utilitarian imperative, courts will likely think about the field’s relative novelty and dynamism, the effect of granting the patent on market entry by competitors, invention and discovery costs borne by the patentee, whether the claims are directed to a genus or species, etc., all in an attempt to gauge the relative impact of preemption. 

The Patent Law System and the Future of Section 101

In the United States, the law is a disjointed field of outcomes and approaches, and its patent system is no different. Institutions playing a role in the U.S. patent system also shape section 101 judicial value judgments.  The Supreme Court of the United States (which generally has the final say on patent cases), the United States Court of Appeals for the Federal Circuit (established in 1982 and operated as an appellate-level court for patent cases), the United States Patent and Trademark Office (which usually operates as the first system to interface with patents), and district courts (which operate as the most common venues for resolving patent disputes) all leave indelible marks on the law of patents in the U.S. In interpreting rules such as section 101, these institutions do not necessarily work with the same set of interests; indeed, the political economy of operational processes (such as internal docket management), personnel’s relative expertise, the institution’s stated objective, and other functional mechanics, create a different set of incentives in approaching patents and disputes. Additionally, Congress tends to exist as a wild card player that can speak at any point to clarify an approach to interpreting section 101 of the Patent Act.

Whatever the reason for the current state of section 101 jurisprudence, many want some clarity–including the Federal Circuit. Section 101 litigation has drastically increased since the Alice ruling, and it looks like there is no end in sight. But there may be some hope! Currently, there is a case pending certiorari with the Supreme Court that involves a method for manufacturing driveshafts to reduce interior cabin vibration in vehicles. If granted cert. by the Supreme Court, this case could provide clarity on important questions like what is the appropriate standard for determining whether a patent claim is “directed to” a patent-ineligible concept? Although this clarification has some potential to help future courts make sense of which ideas are patent-eligible, it would also not be inconceivable for some other version of Alice to eventually come along and shake things up all over again in this dynamic field of law.

The FTC Takes on Health and Fitness Apps’ Rampant Privacy Problems

By: Laura Ames

More and more Americans are turning to mobile health and fitness applications, but many worry about the lack of regulations would ensure that developers of these products keep user information secure and private. The Federal Trade Commission (“FTC”) recently addressed this concern with a policy statement (“Statement”) including app developers among the entities who must follow certain notification procedures after security breaches. However, many question the Statement’s practical effects and whether the FTC had the authority to issue it.  

Health App Trends

Mobile health and fitness apps have gained popularity in recent years, and the COVID-19 pandemic only accelerated this growth. In fact, the United States led the world in health and fitness app downloads as of October 2020 with 238,330,727 downloads that year alone. Even with this increased usage, a recent poll showed that over 60% of U.S. adults felt at least somewhat concerned regarding the privacy of their health information on mobile apps. These worries appear to be well-founded. Flo Health Inc., the developer of a menstrual cycle and fertility-tracking app, currently faces a consolidated class action alleging the company disclosed users’ health information to third parties without users’ knowledge. This is not an isolated concern. A recent study of over 20,000 health and fitness apps found that a third of these apps could collect user email addresses and more than a third transmitted user data to third parties such as advertisers.

The Original Health Breach Notification Rule

Congress enacted the Health Information Technology for Economic and Clinical Health (“HITECH”) Act as an investment in American health care technology. Subtitle D of this Act delegated authority to the FTC to promulgate breach notification requirements for breaches of unsecured protected health information. In 2009, the FTC issued its Health Breach Notification Rule (“HBNR”) covering vendors of personal health records (“PHR”) and PHR-related entities who experienced a security breach. The HBNR requires these entities to notify affected individuals and the FTC. Crucially, the HITECH Act defines a PHR as an electronic record that can be drawn from multiple sources.

The FTC has never enforced the HBNR, but the possibility for changes to the rule has been on the horizon for some time. In 2020, the FTC requested public comments on the HBNR, which functions as a part of their rulemaking process, saying that it was merely a periodic review of the rule. However, before that comment period ended, the Commission issued a policy statement that turned heads.

The FTC Makes a Bold Move

On September 15, the FTC issued a statement with two of the five Commissioners dissenting. The FTC’s stated goal was to clarify the HBNR and put entities on notice of their security breach obligations. The FTC explained that the HBNR is triggered when “vendors of personal health records that contain individually identifiable health information created or received by health care providers” experience a security breach. The first major revelation was that the FTC considers developers of health apps or connected devices as health care providers because they provide health care services or supplies.

Additionally, the FTC stated that it interprets the rule as covering apps that are capable of drawing information from multiple sources, like through a combination of consumer inputs and application programming interfaces (“APIs”). The statement gave two examples of apps that are covered under this understanding. First, an app that collects information directly from users and has the capacity to draw information through an API that enables syncing with a user’s fitness tracker. Second, an app is implicated if it draws information from multiple sources even if the health information only comes from one source. For example, if a consumer uses a blood sugar monitoring app that draws health data only from that consumer’s inputs but also draws non-health data from the phone’s calendar, that app is covered by the HBNR.

Additionally, the FTC sought to remind entities that a breach is not limited to cybersecurity intrusions but also includes unauthorized access to information. Under this interpretation, companies that share information without a user’s authorization would also be subject to the Rule. Although the FTC had not previously enforced the Rule, this Statement also served as signaling the FTC’s willingness to do so. It mentions that businesses could face potential civil penalties of $43,792 per violation per day.

Obviously, these clarifications could subject many app developers and other companies to the FTC’s rule. However, in the eyes of some, including the two dissenting Commissioners, this statement is not a mere clarification but a fundamental policy change. It could not only lead to potential confusion but could also be a breach of the FTC’s statutory authority and rulemaking process.

Critiques and Larger Questions

Some legal experts argue that this statement represents an expansion of the HBNR that could lead to further confusion for app companies and others. The two dissenting FTC Commissioners go further than potential confusion in their statements.

Commissioner Christine S. Wilson argued that this Statement both short-circuits the FTC’s rulemaking process and also improperly increases its statutory authority by expanding the definitions of terms without legislative approval. Commissioner Noah Joshua Phillips agreed that this statement’s first problem is its issuance in the middle of a request for public comment. Wilson pointed out that the FTC’s own business guidance for dealing with the HBNR directly contradicted the statement by saying that “if consumers can simply input their own” health data on a business’ site, for example, a weekly weight input, then the business is not covered by this rule. Wilson also expressed concerns that this interpretation of “health care provider” was a potentially slippery slope. For instance, does Amazon qualify as a health care provider given that users can purchase Band-Aids and other medical supplies through its phone app?

In the coming months, we might see the FTC forcing app developers to notify customers of data disclosures, but the debate around this statement also reveals larger questions concerning health care at the moment. Fundamental questions that once might have seemed easy to answer, such as who qualifies as a health care provider, are growing murkier. In the wake of COVID-19’s effects on telehealth and health technology in general, it seems unlikely that health care will phase out of this continued intermingling with technology. If that is the case, then legislation and regulations surrounding health care will continue to have to scramble to catch up with this rapid technological evolution.