Dealing with Employee Use of Social Networking Sites

August 31, 2009

By: Jessica C. Moller

Being at work apparently poses no obstacle to checking the Facebook or MySpace status of friends and keeping up-to-date with the continuous “tweets” on Twitter.  According to a recent study  conducted by Nucleus Research, 61% of all employees access their Facebook profiles at work. While the length of time employees are plugged-in varies from one to 120 minutes per employee per day, according to the same study employers lose an average of 15 minutes of productivity per day from each social networking employee.

What is an employer to do?

An employer can prohibit accessing social networking sites during working hours.  But this approach may have its own detrimental side effects on employee productivity.  According to one university study, employees who surf the Internet at work, including accessing Facebook and YouTube, are 9% more productive than their non-Internet surfing counterparts.  A ban on employee access to social networking sites can also limit the potential benefits an employer might receive from such sites.  For example, the networking site LinkedIn can serve as a valuable tool for businesses looking to build relationships with potential clients/customers.  And, as one researcher has noted, sites like Facebook can assist employees in building relationships with professional acquaintances which can benefit their employers in the long run.

 Monitoring employees’ use of Twitter, Facebook, MySpace, and other social networking sites is another option.  But monitoring employee use of such sites raises several legal issues, including, in particular, whether an employer that accesses an employee’s social networking page without the employee’s consent violates federal law.

Social networking sites offer subscribers a variety of protections to keep their posts private or semi-private.  If a subscriber sets his profile to “private/friends only,” he can reasonably expect that his employer will not have access to his profile posts or pictures unless he accepts the employer as a Facebook “friend.”  But picture this scenario: Co-workers engage in a dialogue critical of their employer on a MySpace page that can only be accessed by individuals invited and authorized by the page creator to view it.  The employer then terminates these employees after learning about the page and its posts from an authorized viewer. Legal? According to the court in Pietrylo v. Hillstone Restaurant Group d/b/a/ Houston’s, (D.N.J. 2008) , the answer to that question depends, in part, on whether the employer violated a federal statute, the Stored Communications Act (“SCA”) (18 U.S.C. § 2701 et seq.).

The SCA applies to communications stored on Internet sites (such as Facebook, MySpace, Twitter, etc.). It imposes criminal penalties on individuals who gain unauthorized access to such stored communications. Employers can run afoul of the SCA by covertly monitoring their employees’ private social networking postings by, for example, using spyware to track keystrokes to gain log-in information. But the Act’s protections extend beyond such covert measures. “Unauthorized access” also encompasses situations where authorized access is exceeded.  The Act excepts from liability “conduct authorized … by a user of that service with respect to a communication of or intended for that user.”  So long as the information is freely provided by someone who is authorized to and has accessed the private website, the Act permits an authorized user to allow a third party to gain access to the same information the authorized user has access to.

In Pietrylo, the employer gained access to an employee’s password-protected, “by invitation only,” MySpace page when an invited member of the page (also an employee) showed it to a manager at a dinner party. The manager thereafter asked the invited member for her log-in name and password, and used that information to repeatedly access the page and its postings. The court held that a jury could find this means of access not “authorized” under the SCA, if the invited member’s consent was given under duress (the invited member thought that she could get in trouble with the company if she did not provide the information). The jury ultimately returned a verdict against the employer, and found that the employer had, in fact, gained unauthorized access to the MySpace page in violation of the SCA.

The Pietrylo decision and verdict does not mean that every request for log-in information will violate the SCA. Had the invited member in Pietrylo freely given the employer her log-in information, the employer would likely have faced no liability. But whether consent is freely given will often be a difficult question to answer, so employers should be cautious when making requests.

Moreover, the potential legal issues raised by accessing a social networking site do not end with the question of authorized access. Once access is lawfully gained, the issue then becomes, what, if anything, employers can do with the information that is discovered. For an overview discussion of those potential legal issues, see Employers: ‘Keep out!’ Beware Intruding in Employee Web Sites by Louis P. DiLorenzo.