NLRB’s View on Employers Protecting Customer Information

Employers can prohibit the use by employees of the names, social security numbers, and credit card numbers of customers in furtherance of organizational activities. This ruling came after the NLRB scrutinized the employer’s definition of confidential information and policies covering “Use of Personal Data” and “Confidentiality and Acceptable Use of Company Systems.”

The company defined confidential information as: It could be business or marketing plans, pricing strategies, financial performance before public disclosures, pending negotiations with business partners, information about employees, documents that show social security numbers or credit card numbers – in short any information, which if known outside the Company could harm the Company or its business partners customers or employees or allow someone to benefit from having this information before it is publicly known. Just as our Company requires that its own confidential information be protected, our Company also requires that the confidential information and proprietary information of others be respected… We are all trusted to maintain the confidentiality of such information and to ensure that the confidential information, whether verbal, written, or electronic, is not disclosed except as specifically authorized. Additionally, it must be used only for the legitimate business of the Company.

The Company’s Use of Personal Data policy states: The Company has certain personal data of its present and former associates, customers, and vendors. It respects the privacy of this data and is committed to handling this data responsibly and using it only as authorized for legitimate business purposes. What is considered personal data? It is information such as names, home and office contact information, social security numbers, driver’s license numbers, account numbers, and other similar data.

The Company’s Confidentiality and Acceptable Use of Company Systems policy states: Any information that is not generally available to the public that relates to the Company or the Company’s customers, employees, vendors, contractors, service providers, Systems, etc. that you receive or which you are given access during your employment or while you are performing services for the Company is classified as “Confidential” or “Internal Use Only.”

The union challenged these polices as unlawful, asserting they would lead a “reasonable employee” to interpret them as prohibiting contact with customers during a labor dispute, something that is protected by the National Labor Relations Act.

A two-person majority of Miscimarra and the usually pro-union McFerran concluded the polices related to use of customer information were lawful because the policy “specifically defines” confidential information and the “only information covered by that rule that arguably relates to customers is social security numbers or credit card numbers.” Further, both the Use of Personal Data and Acceptable Use of Company Systems policies “limit the use or disclosure of customer names and contact information” which is information that could arguably be used in a labor dispute but that “only apply to customer names and contact information obtained from the employer’s own confidential records.” [Not shockingly, Member Pearce dissented, implicitly authorizing employees to steal credit card and social security numbers from unsuspecting customers.]

For support, the Board cited many cases holding that employees who use information taken from employer systems are outside the protection of the Act, including where the employee had forwarded hundreds of company emails, some of which included confidential data, to a personal email account.

The takeaway – tailor policies to achieve your business objectives. In this case, the definition of confidential information was very specific and narrow. The types of information under the Use of Personal Data and Use of Company Systems policies were restricted, appropriately, to information that the employer collects as part of its business.

Matt Austin owns Austin Legal, LLC, a boutique law firm based in Ohio that limits its representation to employers dealing with labor, employment, and OSHA matters. You can reach Matt by calling him at (614) 285-5342 or emailing him at