Employee Privacy

Lawmakers Scrutinize Employer Efforts to Access Employee and Applicant Private Social Media Web Sites

April 28, 2012

By Christa Richer Cook

As we noted in our June 17, 2010 blog post, social networking sites have become a popular tool for employers seeking information about job applicants during the hiring process.  However, employers' efforts to obtain information that enables them to access their employees' and applicants' private social media web sites have recently been subject to increased scrutiny by New York State and Federal legislators.

On April 13, 2012, New York State Senator Liz Krueger sponsored and introduced a bill that would prohibit employers, as well as their agents or representatives, from requiring employees or job applicants to disclose log-in names, passwords, or other means for accessing a personal account or service through an electronic communications device.  This includes information such as private social media account log-in names and personal e-mail account passwords.  This proposed legislation would also prohibit employers from discharging, disciplining, or otherwise penalizing an employee, or failing to hire an applicant, based on the refusal to provide information that would enable the employer to access personal accounts or services through an electronic communications device.  The New York Attorney General would have the authority under the proposed legislation to enjoin employers from committing such unlawful practices, and employers could be subject to a $300.00 fine for a first offense and a $500.00 fine for each subsequent offense.

This proposed legislation comes just weeks after U.S. Senators Charles Schumer (D-NY) and Richard Blumenthal (D-CT) sent open letters to the Equal Employment Opportunity Commission and the U.S. Department of Justice urging the agencies to investigate employers' practice of requiring applicants to provide Facebook and e-mail passwords as a condition for job interviews.

Efforts to enact legislation similar to the New York bill are currently underway in several states.  In fact, Maryland recently became the first state to enact legislation that prohibits employers from requiring that employees or applicants disclose user names, passwords, or other means for accessing a personal account or service through an electronic communications device.

As we indicated in our June 17, 2010 blog post, employers should be careful even when viewing publicly available information regarding applicants on social media web sites.  Because Facebook and other similar web sites potentially contain a plethora of information about job applicants that employers cannot consider during the hiring process (e.g., race, national origin, religion, marital status, sexual orientation, etc.), employers should exercise caution in using social media web sites to screen applicants.  Employers who choose to use social media in the hiring process should promulgate a clear policy and procedure for utilizing this tool, and should closely follow the developments in this area of the law.

Board ALJ Finds Firings Based on Facebook Messages Violated NLRA

September 8, 2011

By Subhash Viswanathan

In an earlier post, we reported that the National Labor Relations Board issued a complaint in a case involving the discharge of several employees for posting Facebook messages related to a co-worker’s criticism of their work performance. The case subsequently went to trial before an Administrative Law Judge. On September 2, the ALJ issued an opinion finding that the firings violated the NLRA by interfering with the employees’ right to engage in “concerted activity for the purpose of … mutual aid or protection.”

The Facebook postings occurred after one of the discharged employees learned that a co-worker had complained about the job performance of several employees and had expressed her intent to take the complaints to management. The employee who learned of the criticism posted a message on her Facebook page soliciting comments from other employees about the complaining co-worker’s criticism, and used the co-worker’s name. Predictably, several employees responded expressing various negative opinions about the criticism, the complaining co-worker, and the difficulty of various aspects of their jobs. None of the employees made the posts during work time, and none of them used a work computer. The employer’s Executive Director subsequently met with the five employees and fired all of them for harassment and bullying in violation of the employer’s anti-harassment policy.
 

The main issue in the case was whether the conduct in which the employees had engaged was protected concerted activity within the meaning of the NLRA. Relying on analogous NLRB precedent, the ALJ noted that expressions related to defense of job performance are protected activity. In response to the employer’s argument that the activity was not “concerted” because it was individualized, the ALJ concluded that the activity was concerted because the employees’ Facebook messages were the first step toward group action to defend themselves against accusations they could reasonably believe would be brought to management. The opinion states that: “Employees have a protected right to discuss matters affecting their employment amongst themselves. Explicit or implicit criticism by a co-worker of the manner in which they are performing their jobs is a subject about which employee discussion is protected by Section 7. That is particularly true in this case, where at least some of the discriminatees had an expectation that [the complaining co-worker] might take her criticisms to management.”

Finally, the ALJ rejected the employer’s argument that it was merely enforcing its anti-harassment policy. The Judge concluded that the policy, which prohibited harassment based on protected characteristics, was not violated because there was no evidence the complaining co-worker was harassed, and no evidence she was harassed based on one of the protected characteristics listed in the policy.
 

California Court Rules Employee\'s Emails to Attorney Not Privileged When Sent Via Employer\'s E-mail System

February 16, 2011

By Jessica C. Moller

An appellate court in California recently held that an employee’s email exchanges with an attorney via the employee’s work email account were not protected by the attorney-client privilege, Holmes v. Petrovich Development Co. According to the Court’s opinion, when Gina Holmes began working for Petrovich Development Co., she read and signed the company’s employee handbook, which contained a policy regarding use of the company’s technology resources. The policy advised employees that: (1) the company’s technology resources, such as computers and email accounts, were for business purposes only; (2) employees had no expectation of privacy in the information or messages “created or maintained” on the company’s technology resources, including any emails sent or received on a company email account; and (3) the company could “inspect all files or messages … at any time for any reason at its discretion” and would periodically monitor files and messages. When Holmes got into an argument with the CEO about becoming pregnant a month after being hired, she exchanged two emails with an attorney via her company email account in which she explained her situation and asked about her rights. The next day, and after meeting with the attorney, Holmes quit her job claiming a hostile work environment and constructive discharge.

Holmes subsequently brought suit against the company. The trial court granted summary judgment dismissing some of her claims, and a jury found for Petrovich on the remaining claims, including invasion of privacy.  On appeal, Holmes argued, among other things, that the trial court erred in permitting the e-mails to her attorney to be entered in evidence, contending they were protected by the attorney-client privilege. Such communications between an attorney and client can be privileged. For example, in Stengart v. Loving Care Agency, Inc., emails sent by an employee at work via her personal email account were held to be privileged where the employer’s policy permitted employees to use company computers for “occasional personal use.” In Holmes, however, the Court held that because Holmes had been advised of the company’s technology resources policy before the emails were exchanged, but nonetheless chose to engage in an email exchange via her company email account, Holmes’ emails with the attorney were not privileged. As the Court held: “… the e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard by [her employer]. By using the company’s computer to communicate with her lawyer, knowing the communications violated company computer policy and could be discovered by her employer due to company monitoring of e-mail usage,” the emails lost any protection they otherwise would have had.

While the question of whether attorney-client communications over an employer’s computer network are protected is not a settled issue, and turns on the facts of the case, the lesson to employers from the Holmes case is clear. Employers should institute and disseminate to employees an appropriate technology resources policy that makes clear employees have no right to privacy in the emails they send or receive via an employer email account and that such emails can be monitored by the employer at any time.
 

Termination of Employee for Facebook Postings Results in NLRB Complaint

November 17, 2010

By Subhash Viswanathan

The National Labor Relations Board (“NLRB”) recently filed a complaint against American Medical Response of Connecticut, Inc. (“AMR”), alleging that AMR violated the National Labor Relations Act (“NLRA”) by discharging an employee for posting comments on her Facebook page that were critical of her supervisor. In addition, the NLRB’s complaint alleges that AMR’s social networking policy constituted an unlawful restriction on employees’ rights to communicate with one another about their terms and conditions of employment and otherwise engage in protected concerted activity under the NLRA. A hearing before an Administrative Law Judge is scheduled with respect to the NLRB’s allegations on January 25, 2011.

AMR’s Employee Handbook included a Blogging and Internet Posting Policy that prohibited employees from: (1) posting pictures of themselves which depict AMR in any way unless written approval from the Vice President of Corporate Communications is granted; and (2) making “disparaging, discriminatory, or defamatory comments when discussing the Company or the employee’s superiors, co-workers and/or competitors.” According to the NLRB complaint, an AMR employee named Dawnmarie Souza (“Ms. Souza”) “engaged in concerted activities with other employees” on November 8, 2009, by criticizing her supervisor on her Facebook page. According to a press release issued by the NLRB that accompanied its filing of the complaint, Ms. Souza’s criticism of her supervisor drew supportive responses from her co-workers, which resulted in Ms. Souza making additional negative comments about her supervisor on her Facebook page. Ms. Souza was discharged from her employment with AMR on or about December 1, 2009.

In the complaint, the NLRB alleges that AMR interfered with, restrained, and coerced its employees in the exercise of their right to engage in protected concerted activities, by promulgating its Blogging and Internet Posting Policy and by discharging Ms. Souza. The NLRB also alleges that AMR discriminated against Ms. Souza for her protected concerted activity by discharging her. According to the NLRB’s press release, the NLRB is taking the position that AMR’s Blogging and Internet Posting Policy contains unlawful provisions, including: (1) the provision that prohibits employees from making disparaging remarks about AMR or supervisors of AMR; and (2) the provision that prohibits employees from depicting AMR in any way without permission.

The NLRB’s position regarding the unlawfulness of AMR’s social networking policy appears to signify a departure from a recent opinion issued by the NLRB General Counsel’s Division of Advice on December 4, 2009. In that opinion, the Division of Advice considered an employer’s social networking policy that prohibited, among other things, “disparagement of company’s or competitors’ products, services, executive leadership, employees, strategy, and business prospects.” The Division of Advice concluded that the policy, as written, was lawful because employees could not reasonably construe the policy as prohibiting the types of concerted activities protected by the NLRA. The Division of Advice also found no evidence that the policy was promulgated in response to union organizing activity or was applied for the purpose of discouraging union organizing activity.

Although a hearing has not yet been held in the AMR case and a decision has not yet been rendered, the issuance of a complaint in that case indicates that the NLRB will closely scrutinize employer policies that potentially restrict an employee’s right to discuss terms and conditions of employment through social networking sites. Accordingly, all employers (regardless of whether their employees are unionized or not) should take this opportunity to review their social networking policies, and amend those policies to ensure that there is no language that could reasonably be construed by employees as prohibiting concerted activities relating to terms and conditions of employment. Employers who are contemplating the promulgation of a social networking policy should make sure to craft the language of the policy carefully to reduce the risk that the NLRB will find the policy to be an unlawful restriction on employee rights.
 

Court Holds Employee Facebook And MySpace Postings Are Not Private And Must Be Disclosed In Litigation

November 15, 2010

By Jessica C. Moller

The courts have begun to address the question of whether an employee’s social network profile and postings, including sections only accessible to “friends,” are “private.” Most recently, the New York State Supreme Court for Suffolk County decided that the non-public portions of a plaintiff’s social networking sites are discoverable in litigation when they may contain information relevant to the plaintiff’s claims for damages for loss of enjoyment of life, Romano v. Steelcase Inc.

Ms. Romano sued her employer for, among other things, injuries she sustained that she alleged rendered her permanently disabled. According to the Court’s opinion, the publicly accessible parts of Ms. Romano’s Facebook and MySpace pages contained information which her employer “believed to be inconsistent with her claims” of permanent disability, “especially her claims for loss of enjoyment of life.” For example, publicly accessible photographs showed that Ms. Romano had an “active lifestyle” and traveled from New York to Florida and Pennsylvania during the time she was allegedly home and bed bound due to her injuries. The defendant employer made a discovery demand for access to all of her “current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information”—both the publicly accessible parts of such pages and those parts which Ms. Romano had marked as “private” and made accessible to only her social networking “friends.”
 

In determining that the defendant employer was entitled to the information, the Court concluded that Ms. Romano had no reasonable expectation of privacy in the material. The Court reasoned that because the whole purpose of social networking sites is to share information with others, by creating her Facebook and MySpace pages and posting information and photographs on them, “she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.” The Court also concluded that any minimal privacy interest was outweighed by New York’s “strong public policy in favor of open disclosure” in litigation. Because the federal Stored Communications Act prohibits a social networking site like Facebook or MySpace from disclosing the information sought without the consent of the owner of the account, the Court ordered Ms. Romano to provide the necessary consent.

The Romano decision was issued in the context of a litigation discovery dispute between an employer and employee, but the case’s impact is potentially broader because of the general principle it enunciates: individuals do not have a reasonable expectation of privacy in Facebook postings, regardless of the privacy settings they choose. As a result, when a co-worker who is “friends” with an employee presents an employer with photographs that the employee posted on Facebook, and those photos clearly demonstrate the employee was on vacation when he had called in sick, the employer may consider that material in its investigation. The employer may do so even if the employee’s privacy settings would have prevented the employer from accessing the photos directly. Of course, when obtaining investigative material from a co-worker, the employer/investigator must still proceed with caution given Stored Communications Act concerns  

Seventh Circuit Holds that "Interception" Under Federal Wiretap Act Need Not Be Contemporaneous With Sending of E-Mail

October 6, 2010

By Sanjeeve K. DeSoyza

The United States Court of Appeals for the Seventh Circuit’s recent decision in United States v. Szymuszkiewicz is yet another reminder that the law governing monitoring of electronic communications in the workplace is a rapidly evolving, and requires employers to regularly revisit their technology use policies. Szymuszkiewicz was an IRS agent in Wisconsin who was convicted under the federal Wiretap Act for intentionally intercepting an electronic communication. A jury found that he secretly activated the auto-forward “rule” on his supervisor’s Microsoft Outlook e-mail account. As a result, a copy of every e-mail the supervisor received was also sent to the agent. The Wiretap Act makes it unlawful for any person to intercept an oral, wire or electronic communication without authority or the consent of at least one party to the communication.

In challenging the conviction, the agent argued that a communication is only “intercepted” under the Act if it is caught “in flight” (before it reaches its destination). Because he merely forwarded e-mails that had already arrived at his supervisor’s computer, he argued, no “interception” occurred. The only crime he could have been charged with, he contended, was a violation of the Stored Communications Act. Noting the risk in “defend[ing] against one crime by admitting another,” the Seventh Circuit rejected the agent’s argument.

First, the Court found that the Wiretap Act does not require contemporaneous or “in flight” interception at all. Any acquisition of information using a device, including conduct which would violate the Stored Communications Act, can violate the Wiretap Act. The Court noted that the “in flight” analogy really does not work for e-mail messages, which are broken up into packets (segments of message) when sent, transmitted over different routes, at different times, and reassembled at the server. So there is no way to intercept the entire message “in flight.” In rejecting the requirement of contemporaneous interception, the Court declined to follow several other Circuit Courts which have held that the interception had to be “contemporaneous” with the communication.

Finally, the Court concluded that even if the statute imposed a contemporaneous interception requirement, it was met in the case before it because Microsoft Outlook’s default provides for automatic forwarding to occur at the server, not at the recipient’s computer. Because each e-mail to the supervisor was received in packets at, reassembled and sent from the IRS’s regional server in Kansas City almost simultaneously to both the supervisor and agent, the agent’s ‘copying at the server was the unlawful interception, catching the message “in flight”… .

Although Szymuszkiewicz involved the clandestine actions of an employee, its holding has applicability to employer monitoring of employee e-mails. Employers that routinely make copies of employee e-mails as part of their regular business activities (for example, by copying e-mails for archival purposes or auto-forwarding the e-mails of a departed employee so others may respond) can no longer assume that because they are acting on an already-received message they are not “intercepting” it. As noted above, as long as one party to the communication consents to the “interception,” the statute is not violated. For that reason, potential violations of the Wiretap Act can most easily be avoided by taking steps to obtain implied or actual consent. Technology use policies should, at a minimum, put employees on explicit notice that electronic communications created, sent or received using company equipment or via its network are company property and subject to monitoring, access, duplication, review and disclosure by the employer at any time. Employers should also obtain implied consent from employees to take such actions through a statement in the policy and/or log in screen that use of the technology constitutes consent to monitor. A signed acknowledgment from the employee is even better.
 

U.S. Supreme Court Decision Highlights Importance of Clear Technology Use Policy

June 18, 2010

By Jessica C. Moller

On June 17, 2010, the U.S. Supreme Court issued a decision in a closely watched case involving discipline of an employee for improper text messaging, City of Ontario v. Quon. Although the Court’s ruling is narrow in scope, finding that the public employer’s search of the text messages was a reasonable search within the meaning of the Fourth Amendment, the Court clearly implied that an employee’s reasonable expectation of privacy will be shaped by a clearly communicated employer policy governing the use of each particular type of employer-provided technology.

The case involved the Ontario Police Department’s review of text messages sent and received by one of its officers on a department-owned electronic pager. The Department had a “Computer Usage, Internet and E-mail Policy” that gave the department the right to monitor employee Internet and e-mail use and all network activity. Although the policy did not explicitly cover text messaging, the department had officially stated that text messages on department owned pagers would be treated the same as e-mails under that policy.
 

Every officer in the department who was assigned an electronic pager was allotted 25,000 characters of use. When there was an overage, a lieutenant audited the text messages to ensure the pager was being used only for business-related purposes. In practice, however, whenever the plaintiff in the case, Sgt. Jeffery Quon, exceeded the allotment, the lieutenant told him he would not audit the messages if he paid the department for the overage costs. After Quon exceeded his allotment several times, the police chief ordered an audit of his text messages to determine whether the allotment was still sufficient for work-related messages, or whether the pager was being used for Quon’s personal use. During the audit, sexually explicit text messages were discovered and Quon was disciplined.

Quon sued claiming, among other things, that the audit of his text messages was an unlawful search in violation of his Fourth Amendment rights. The Ninth Circuit Court of Appeals agreed, holding that Quon had a reasonable expectation of privacy in the content of the text messages because of the lieutenant’s assurances that the messages would not be read if the overage was paid. The City appealed to the United States Supreme Court.

The high court reversed, but rather than issue a broad pronouncement concerning employee privacy rights in electronic communications, decided the case on narrower grounds. As the Court explained: “A broad holding concerning employees’ privacy expectations vis-À-vis employer-provided technological equipment might have implications for future cases that cannot be predicted.”

For that reason, the Court assumed that Quon had a reasonable expectation of privacy in his text messages. The Court then went on to hold that the audit of Quon’s texts was a reasonable search both at its inception and in its scope, and therefore did not violate the Fourth Amendment. The department had a legitimate interest in auditing the text messages to “ensur[e] that employees were not being forced to pay out of their own pockets for work-related expenses, or on the other hand that the City was not paying for extensive personal communications.” In addition, “reviewing the transcripts [of Quon’s text messages] was reasonable because it was an efficient and expedient way to determine whether Quon’s overages were the result of work-related messaging or personal use.”

In what can and should be read as an important notice to employers, the Court emphasized the importance of a technology use policy noting - “[e]mployer policies concerning communications will of course shape the reasonable expectations of employees, especially to the extent that such policies are clearly communicated.” The Court also noted Quon’s assertion that a supervisory employee created an expectation of privacy by assuring him that his text messages would not be audited if he paid overage charges. To avoid such claims, employers should train employees on their technology use policy and draft such policies to ban verbal modification.

The case also highlights a potential problem with the scope of many employer policies. The Court noted a distinction between employer-provided e-mail, and text messages typically transmitted through the cell phone provider’s server. An employer cannot assume that a policy which covers communications passing through its server also covers those that do not. In Quon, the department’s policy focused on e-mail, without mentioning text messages, but when pagers were issued, the department informed employees that its policy applied to text messages as well. That may not be enough in all cases. Given the increased use of smart phones and personal e-mail accounts accessed through employer-provided equipment, employers are well-advised to draft technology use policies broadly. However, such policies must be drafted with care given the Supreme Court’s observation that the audit of messages on Quon’s employer-provided pager “was not nearly as intrusive as a search of his personal e-mail account or pager … would have been.”

The take away from the Quon decision is clear – employers should adopt a carefully crafted technology use policy, distribute it to employees and educate employees on its meaning and scope. Doing so will limit employee privacy expectations and better prepare the employer to successfully defend technology-related privacy claims.
 

Social Networking Sites: Savvy Screening Tool or Legal Trap?

June 17, 2010

By Christa Richer Cook

Social networking sites (e.g., Facebook, MySpace, LinkedIn, Twitter, etc.) are fast becoming a popular tool for employers seeking information about job applicants. It has been reported that the number of employers currently using social media during the recruitment and hiring process has more than doubled in the past two years. According to the same source, 45 percent of employers currently use social networking sites to screen potential job candidates and 35 percent of those employers have rejected an applicant because of information they discovered, such as inappropriate pictures, information regarding alcohol or drug use, and postings in which the applicant “bad-mouthed” a former employer, bragged about prior acts of misconduct or made discriminatory remarks.

The incentives for an employer to use a social networking site are clear: It is fast, free and easy. There can be little doubt that social networking sites contain a potential treasure trove of information about an applicant’s character. Employers want the best fit for the organization and the particular position, and online information may help in making that determination. However, employers should be aware that online profiles often contain inaccurate information and information that may be easily taken out of context or misunderstood. An individual may have little control over the information on his or her “wall” or message board.
 

Just as important, employers should be mindful that they may learn things about applicants that cannot legally be used to make hiring decisions, even though the information is publicly available. For example, employers all know that it is illegal to make a hiring decision based on an individual’s race, religion, disability, sexual orientation, or other protected characteristic. In fact, in New York, an employer cannot ask an applicant for those types of information. But it is nearly impossible to visit a job applicant’s MySpace or Facebook page without also accessing those types of information. For example, in addition to the general information contained in an individual’s Facebook profile, which may list gender, marital status, religion, and age, an individual’s profile picture will reveal his/her ethnicity and, if not already disclosed in the profile, the individual’s sex. Most of this information will be revealed even if the individual takes advantage of the sites’ privacy features that limit who can become a “friend” or a member of the individual’s network.

In addition, most Facebook users post pictures of their family and friends on their pages, which may reveal a lot about their personal lives. This too can present an employer with information it may not want to have. For example, an employer might find pictures of a job applicant’s baby shower on her Facebook page. Of course, an employer cannot legally refuse to hire the applicant because she is pregnant, but once it has the information it has increased the risk of having to defend such a claim.

In addition to containing information about an applicant’s membership in classifications protected under the equal employment opportunity laws, an individual’s union activity or affiliation may also be readily discoverable. In addition to general “union organizing” pages, many unions have developed Facebook pages. In using social media screening, an employer might discover that a particular job applicant is a “fan” of a union that has been attempting to organize the company at which the applicant has applied. It would be unlawful for an employer to discriminate against an applicant based on such union activity or affiliation.

And employers cannot assume that their online searches will remain secret. Today, electronic discovery is sought in most discrimination lawsuits and may include records of online searches of social networking sites

So what can employers do to minimize the risk that this valuable tool will lead to liability? At a minimum, employers who use online searches should develop a fair and uniform policy and procedure for online searches. Employers should determine if social networking checks will be conducted, for what job categories or positions, the scope of such searches, and the types of information to be obtained and documented. The policy should also address the time during the hiring process when such screening will occur, preferably later in the hiring process to limit the number of applicants affected. Most importantly, the individual conducting the screening should not be a decisionmaker, should report only relevant information, and should not record or report any information which an employer could not lawfully solicit on an employment application. If using a third-party to conduct such screening, compliance with federal and state fair credit reporting obligations is required.

As with all steps in the hiring process, the information obtained and relied upon should be documented and retained with other hiring records. By using a policy to define the criteria or information to be sought in the screening, employers can more easily manage the documentation task by retaining only information which meets the designated search criteria. Finally, once it has been determined what job categories or positions will be subject to screening, employers should be consistent in conducting searches only when filling those positions.
 

Employee E-Mail on Employer\'s Computer System May Still Be Private

April 7, 2010

By Sanjeeve K. DeSoyza

Last week, the New Jersey Supreme Court ruled that an employee has a reasonable expectation of privacy in communications with her lawyer via a personal, password-protected e-mail account, even if accessed on company-issued computer equipment. In Stengart v. Loving Care Agency, Inc., a forensic expert was hired by Loving Care to image Stengart’s laptop after she left her position and filed a lawsuit against the company. In the process, several e-mails exchanged between Stengart and her lawyer through her personal Yahoo e-mail account, were retrieved. The e-mails were reviewed by Loving Care’s counsel, and at least one was utilized in responding to discovery demands. The trial court found no violation of the attorney-client privilege, ruling that Loving Care’s electronic communications policy placed Stengart on sufficient notice that her e-mails were considered company property. However, an intermediate appellate court reversed. It found that the attorney-client privilege applied to the e-mails and ordered the return of the e-mails. In addition, it sent the case back to the trial court for a hearing on potential sanctions against counsel.

After Loving Care appealed those rulings, New Jersey’s highest court agreed, finding that Stengart had a subjective expectation of privacy because she took steps to protect her e-mails, sending them from her personal, password-protected account and not saving her password to the computer. Several factors also convinced the Court that her expectation of privacy was objectively reasonable. For one thing, the precise scope of the company’s e-mail policy was unclear. It did not address use of personal web-based e-mail accounts on company equipment nor did it warn employees that e-mails sent through personal accounts could be forensically retrieved and reviewed. And although the policy provided that e-mails were not to be considered private and confidential, it nevertheless permitted “occasional personal use”, thereby creating ambiguity as to whether personal e-mail was company or private property. The Court also found it significant that the e-mails did not constitute illegal or inappropriate material stored on company equipment, and that the e-mails from Stengart’s attorney included a standard notice as to the personal, confidential, and, possibly, attorney-client nature of the communication. Because Stengart reasonably expected her e-mails would remain private, the court concluded, the attorney-client privilege protected those e-mails from disclosure and no waiver occurred. The Court then expanded on its ruling, declaring that even if a policy expressly banned all personal computer use and unambiguously notified employees that the company could retrieve and read their attorney-client communications sent via a personal, password-protected e-mail account on company equipment, it would nevertheless be outweighed by the public policy concerns underlying the attorney-client privilege and rendered unenforceable.

The New Jersey decision is not binding precedent in New York, although it could be influential. Neither the Second Circuit nor New York’s Court of Appeals have addressed this issue. However, in Scott v. Beth Israel Medical Center, a New York trial court found no privilege where the attorney-client e-mails were exchanged via a company-issued e-mail address on company equipment. In that case, however, the employer’s e-mail policy – which expressly banned any personal e-mail use and further provided that any e-mails received or sent using company equipment were company property – was “critical” to the Court’s decision.

New York employers who permit some personal e-mail use should consider taking a proactive approach by revising their existing technology policies with the Stengart and Scott decisions in mind. Suggested revisions include expressly notifying employees that all e-mails sent or received using company equipment may be reviewed at the company’s discretion, and that all materials accessed, created, received or sent on company-issued computer equipment, including e-mail communications, may remain stored on that equipment even after deletion and retrieved by the employer. Employers should also establish protocols and train appropriate employees in handling potentially privileged communications that may turn up in the course of electronic monitoring.

 

A Few Tips for Drafting Social Networking Policies

February 28, 2010

Social networking and blogging sites, such as Facebook and Twitter, continue to grow in popularity. The number of participants is staggering. Facebook alone recently reported that it now has more than 400 million active users.

Given the rise in use of social networking sites, employers should consider implementing  a policy governing employee use of such sites. A well-drafted social networking policy is essential because an employer’s existing policies, such as those governing confidentiality or the use of the employer’s computer systems, may not be broad enough to protect against employee misuse of these sites. This post covers some of the issues to consider in drafting an effective social networking policy, and also discusses the practicalities of investigating alleged violations of such a policy.
 

One of the first things to consider in drafting a social networking policy is whether to allow employees to access the sites through the use of the employer’s technology, such as computer and email systems or handheld devices, and whether access will be permitted during work time. The answer to these questions may depend upon the nature of the employer’s business and whether there are business-related reasons for employees to use the sites.

A social networking policy should also prohibit inappropriate postings on, or the inappropriate use of the sites, and should advise employees what is considered inappropriate. Defining the line between appropriate and inappropriate, however, may be the most difficult challenge, particularly for those employers employing a relatively young workforce. Examples of inappropriate postings include comments and complaints that are disparaging to the employer, or the disclosure of an employer’s proprietary or confidential information or of any information that is protected by law. Employers should also consider whether to forbid employees from posting any information about the employer, or if certain information would be permissible with the employer’s prior approval. Employees should generally not be allowed to speak on behalf of their employer, unless specifically authorized to do so. See our January 27, 2010 post.

In defining what constitutes impermissible conduct under the policy, employers must use caution to avoid infringing on employees’ rights under Section 7 of the National Labor Relations Act. The policy cannot be drafted in a way that employees would reasonably construe as prohibiting discussion of wages, hours, and working conditions. A policy which prohibits and specifically describes a broad range of inappropriate communication is less likely to run afoul of the National Labor Relations Act.

Because enforcing a social networking policy can be difficult, the policy should require employees to report known violations to the human resources office or a member of management. As with other key policies, employees should be told that it is their “responsibility” to help the employer ensure compliance with the policy. The potential consequences of a violation of the policy should also be described. This can be as simple as a warning that an employee may be subject to discipline, up to and including discharge.

Once developed, the policy should be distributed to all employees, who should be required to acknowledge in writing that they have received it. The policy should be redistributed to employees periodically.

A social networking policy is most effective when developed in conjunction with a policy governing employee use of technology belonging to the employer. A policy of this kind should be designed to lower employees’ expectations of privacy when using the employer’s technology by including language stating that the employer reserves the right to access, intercept and monitor all information accessed, sent, or received through the employer’s systems. Employers should also obtain the express consent of employees both to monitor communications and to access stored communications. This is best accomplished by requiring employees to sign written consent forms. Alternatively, an employer can establish that employees have consented to the monitoring and accessing of communications by requiring them to click on a pop-up screen acknowledging consent to the employer’s policies before access is granted to the employer’s computer systems.

Even with a well-drafted social networking policy in place, investigating potential violations, such as an allegation that an employee has posted something inappropriate on a site, can be challenging. It may be difficult to verify that the alleged misconduct occurred because the information may be posted on a secured site not accessible to the public or it may be deleted before the investigation has been completed. If the posting was prepared or accessed using technology belonging to the employer, an employee’s consent to access that information could be obtained through the type of technology use policy discussed above.

If the employer’s technology was not used, it may be impossible to view the posting without the employee’s consent. In that scenario, an employer may have no recourse other than to simply question the employee about the posting, and to speak to any co-workers who may have seen it. Employers should hesitate before asking employees for their personal log-in information. Aliases or similar surreptitious means to access a secured site should not be used, and an employer should take steps to protect an employee’s privacy in the investigation.

If an investigation concludes that an employee has violated the social networking policy, appropriate discipline should be considered, but an employer should use caution when meting out discipline. Public employers should also be aware that the First Amendment may protect an employee who speaks on what is considered to be a matter of public concern.
 

Employee Endorsements Can Now Lead To Employer Liability

January 27, 2010

By Jessica C. Moller

Under guidelines recently issued by the Federal Trade Commission (“FTC”)—Guides Concerning the Use of Endorsements and Testimonials in Advertising, 16 CFR Part 255—an employer may now face liability for employee endorsements of its products and services, if the employment relationship is not disclosed. The guidelines, which took effect on December 1, 2009, require that employees who endorse their employer’s products or services, must “clearly disclose” the employment relationship within the endorsement.

Although the new guidelines are primarily concerned with celebrity endorsements, they also apply to more routine comments ordinary employees may make on social media outlets such as personal blogs, Facebook and Twitter. The FTC has stated, for example, that where an on-line blogger discusses a product manufactured by her employer, she “should clearly disclose her relationship to the manufacturer to members and readers of the message board” because knowledge of that relationship “likely would affect the weight of credibility of her endorsement” in the eyes of the public. If the employment relationship is not disclosed, both the employer and employee may face liability under Section 5 of the Federal Trade Commission Act (15 USC § 45 et seq.), which prohibits unfair or deceptive acts or practices in the marketplace. This is so even if the employee’s endorsement was not authorized or sponsored by the employer, and even where the actual endorsing statement is not misleading.
 

While the FTC has indicated that it is not necessarily going to take enforcement action against an employer for the statements of a single “rogue” employee, employers should nonetheless take proactive steps to help protect against potential liability by ensuring that their technology usage policies cover all electronic communications, employee blogging and use of social networking sites (e.g., Facebook, Twitter, MySpace, LinkedIn). The policy should also clearly inform employees whether they are permitted to discuss the employer’s products and/or services online. There are advantages and disadvantages to authorizing such discussions. Permitting employees to do so may well serve the interests of the employer by providing increased exposure through positive word-of-mouth. However, it could also yield negative statements about the employer or its products which are seemingly authorized by the policy. Where an employer elects to allow employees to discuss its products/services, the policy should state that employees who engage in such discussions are required to clearly and conspicuously disclose their relationship with the employer. The policy should also require employees to include a disclaimer within any online discussion of the employer’s products/services, such as, “any opinion stated is that of the employee, and is not authorized by the employer.”

Dealing with Employee Use of Social Networking Sites

August 31, 2009

By Jessica C. Moller

Being at work apparently poses no obstacle to checking the Facebook or MySpace status of friends and keeping up-to-date with the continuous “tweets” on Twitter.  According to a recent study  conducted by Nucleus Research, 61% of all employees access their Facebook profiles at work. While the length of time employees are plugged-in varies from one to 120 minutes per employee per day, according to the same study employers lose an average of 15 minutes of productivity per day from each social networking employee.

What is an employer to do?

An employer can prohibit accessing social networking sites during working hours.  But this approach may have its own detrimental side effects on employee productivity.  According to one university study, employees who surf the Internet at work, including accessing Facebook and YouTube, are 9% more productive than their non-Internet surfing counterparts.  A ban on employee access to social networking sites can also limit the potential benefits an employer might receive from such sites.  For example, the networking site LinkedIn can serve as a valuable tool for businesses looking to build relationships with potential clients/customers.  And, as one researcher has noted, sites like Facebook can assist employees in building relationships with professional acquaintances which can benefit their employers in the long run.

 Monitoring employees’ use of Twitter, Facebook, MySpace, and other social networking sites is another option.  But monitoring employee use of such sites raises several legal issues, including, in particular, whether an employer that accesses an employee’s social networking page without the employee’s consent violates federal law.

Social networking sites offer subscribers a variety of protections to keep their posts private or semi-private.  If a subscriber sets his profile to “private/friends only,” he can reasonably expect that his employer will not have access to his profile posts or pictures unless he accepts the employer as a Facebook “friend.”  But picture this scenario: Co-workers engage in a dialogue critical of their employer on a MySpace page that can only be accessed by individuals invited and authorized by the page creator to view it.  The employer then terminates these employees after learning about the page and its posts from an authorized viewer. Legal? According to the court in Pietrylo v. Hillstone Restaurant Group d/b/a/ Houston’s, (D.N.J. 2008) , the answer to that question depends, in part, on whether the employer violated a federal statute, the Stored Communications Act (“SCA”) (18 U.S.C. § 2701 et seq.).

The SCA applies to communications stored on Internet sites (such as Facebook, MySpace, Twitter, etc.). It imposes criminal penalties on individuals who gain unauthorized access to such stored communications. Employers can run afoul of the SCA by covertly monitoring their employees’ private social networking postings by, for example, using spyware to track keystrokes to gain log-in information. But the Act’s protections extend beyond such covert measures. “Unauthorized access” also encompasses situations where authorized access is exceeded.  The Act excepts from liability “conduct authorized … by a user of that service with respect to a communication of or intended for that user.”  So long as the information is freely provided by someone who is authorized to and has accessed the private website, the Act permits an authorized user to allow a third party to gain access to the same information the authorized user has access to.

In Pietrylo, the employer gained access to an employee’s password-protected, “by invitation only,” MySpace page when an invited member of the page (also an employee) showed it to a manager at a dinner party. The manager thereafter asked the invited member for her log-in name and password, and used that information to repeatedly access the page and its postings. The court held that a jury could find this means of access not “authorized” under the SCA, if the invited member’s consent was given under duress (the invited member thought that she could get in trouble with the company if she did not provide the information). The jury ultimately returned a verdict against the employer, and found that the employer had, in fact, gained unauthorized access to the MySpace page in violation of the SCA.

The Pietrylo decision and verdict does not mean that every request for log-in information will violate the SCA. Had the invited member in Pietrylo freely given the employer her log-in information, the employer would likely have faced no liability. But whether consent is freely given will often be a difficult question to answer, so employers should be cautious when making requests.

Moreover, the potential legal issues raised by accessing a social networking site do not end with the question of authorized access. Once access is lawfully gained, the issue then becomes, what, if anything, employers can do with the information that is discovered. For an overview discussion of those potential legal issues, see Employers: ‘Keep out!’ Beware Intruding in Employee Web Sites by Louis P. DiLorenzo.