Court Holds Employee Facebook And MySpace Postings Are Not Private And Must Be Disclosed In Litigation

Posted on November 15, 2010 by Jessica Satriano

The courts have begun to address the question of whether an employee’s social network profile and postings, including sections only accessible to “friends,” are “private.” Most recently, the New York State Supreme Court for Suffolk County decided that the non-public portions of a plaintiff’s social networking sites are discoverable in litigation when they may contain information relevant to the plaintiff’s claims for damages for loss of enjoyment of life, Romano v. Steelcase Inc.

Ms. Romano sued her employer for, among other things, injuries she sustained that she alleged rendered her permanently disabled. According to the Court’s opinion, the publicly accessible parts of Ms. Romano’s Facebook and MySpace pages contained information which her employer “believed to be inconsistent with her claims” of permanent disability, “especially her claims for loss of enjoyment of life.” For example, publicly accessible photographs showed that Ms. Romano had an “active lifestyle” and traveled from New York to Florida and Pennsylvania during the time she was allegedly home and bed bound due to her injuries. The defendant employer made a discovery demand for access to all of her “current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information”—both the publicly accessible parts of such pages and those parts which Ms. Romano had marked as “private” and made accessible to only her social networking “friends.”
 

In determining that the defendant employer was entitled to the information, the Court concluded that Ms. Romano had no reasonable expectation of privacy in the material. The Court reasoned that because the whole purpose of social networking sites is to share information with others, by creating her Facebook and MySpace pages and posting information and photographs on them, “she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.” The Court also concluded that any minimal privacy interest was outweighed by New York’s “strong public policy in favor of open disclosure” in litigation. Because the federal Stored Communications Act prohibits a social networking site like Facebook or MySpace from disclosing the information sought without the consent of the owner of the account, the Court ordered Ms. Romano to provide the necessary consent.

The Romano decision was issued in the context of a litigation discovery dispute between an employer and employee, but the case’s impact is potentially broader because of the general principle it enunciates: individuals do not have a reasonable expectation of privacy in Facebook postings, regardless of the privacy settings they choose. As a result, when a co-worker who is “friends” with an employee presents an employer with photographs that the employee posted on Facebook, and those photos clearly demonstrate the employee was on vacation when he had called in sick, the employer may consider that material in its investigation. The employer may do so even if the employee’s privacy settings would have prevented the employer from accessing the photos directly. Of course, when obtaining investigative material from a co-worker, the employer/investigator must still proceed with caution given Stored Communications Act concerns  
Tags: , ,

Seventh Circuit Holds that "Interception" Under Federal Wiretap Act Need Not Be Contemporaneous With Sending of E-Mail

Posted on October 7, 2010 by Sanjeeve DeSoyza

The United States Court of Appeals for the Seventh Circuit’s recent decision in United States v. Szymuszkiewicz is yet another reminder that the law governing monitoring of electronic communications in the workplace is a rapidly evolving, and requires employers to regularly revisit their technology use policies. Szymuszkiewicz was an IRS agent in Wisconsin who was convicted under the federal Wiretap Act for intentionally intercepting an electronic communication. A jury found that he secretly activated the auto-forward “rule” on his supervisor’s Microsoft Outlook e-mail account. As a result, a copy of every e-mail the supervisor received was also sent to the agent. The Wiretap Act makes it unlawful for any person to intercept an oral, wire or electronic communication without authority or the consent of at least one party to the communication.

In challenging the conviction, the agent argued that a communication is only “intercepted” under the Act if it is caught “in flight” (before it reaches its destination). Because he merely forwarded e-mails that had already arrived at his supervisor’s computer, he argued, no “interception” occurred. The only crime he could have been charged with, he contended, was a violation of the Stored Communications Act. Noting the risk in “defend[ing] against one crime by admitting another,” the Seventh Circuit rejected the agent’s argument.

First, the Court found that the Wiretap Act does not require contemporaneous or “in flight” interception at all. Any acquisition of information using a device, including conduct which would violate the Stored Communications Act, can violate the Wiretap Act. The Court noted that the “in flight” analogy really does not work for e-mail messages, which are broken up into packets (segments of message) when sent, transmitted over different routes, at different times, and reassembled at the server. So there is no way to intercept the entire message “in flight.” In rejecting the requirement of contemporaneous interception, the Court declined to follow several other Circuit Courts which have held that the interception had to be “contemporaneous” with the communication.

Finally, the Court concluded that even if the statute imposed a contemporaneous interception requirement, it was met in the case before it because Microsoft Outlook’s default provides for automatic forwarding to occur at the server, not at the recipient’s computer. Because each e-mail to the supervisor was received in packets at, reassembled and sent from the IRS’s regional server in Kansas City almost simultaneously to both the supervisor and agent, the agent’s ‘copying at the server was the unlawful interception, catching the message “in flight”… .

Although Szymuszkiewicz involved the clandestine actions of an employee, its holding has applicability to employer monitoring of employee e-mails. Employers that routinely make copies of employee e-mails as part of their regular business activities (for example, by copying e-mails for archival purposes or auto-forwarding the e-mails of a departed employee so others may respond) can no longer assume that because they are acting on an already-received message they are not “intercepting” it. As noted above, as long as one party to the communication consents to the “interception,” the statute is not violated. For that reason, potential violations of the Wiretap Act can most easily be avoided by taking steps to obtain implied or actual consent. Technology use policies should, at a minimum, put employees on explicit notice that electronic communications created, sent or received using company equipment or via its network are company property and subject to monitoring, access, duplication, review and disclosure by the employer at any time. Employers should also obtain implied consent from employees to take such actions through a statement in the policy and/or log in screen that use of the technology constitutes consent to monitor. A signed acknowledgment from the employee is even better.
 
Tags: , , ,

Dealing with Employee Use of Social Networking Sites

Posted on September 1, 2009 by Jessica Satriano

Being at work apparently poses no obstacle to checking the Facebook or MySpace status of friends and keeping up-to-date with the continuous “tweets” on Twitter.  According to a recent study  conducted by Nucleus Research, 61% of all employees access their Facebook profiles at work. While the length of time employees are plugged-in varies from one to 120 minutes per employee per day, according to the same study employers lose an average of 15 minutes of productivity per day from each social networking employee.

What is an employer to do?

An employer can prohibit accessing social networking sites during working hours.  But this approach may have its own detrimental side effects on employee productivity.  According to one university study, employees who surf the Internet at work, including accessing Facebook and YouTube, are 9% more productive than their non-Internet surfing counterparts.  A ban on employee access to social networking sites can also limit the potential benefits an employer might receive from such sites.  For example, the networking site LinkedIn can serve as a valuable tool for businesses looking to build relationships with potential clients/customers.  And, as one researcher has noted, sites like Facebook can assist employees in building relationships with professional acquaintances which can benefit their employers in the long run.

 Monitoring employees’ use of Twitter, Facebook, MySpace, and other social networking sites is another option.  But monitoring employee use of such sites raises several legal issues, including, in particular, whether an employer that accesses an employee’s social networking page without the employee’s consent violates federal law.

Social networking sites offer subscribers a variety of protections to keep their posts private or semi-private.  If a subscriber sets his profile to “private/friends only,” he can reasonably expect that his employer will not have access to his profile posts or pictures unless he accepts the employer as a Facebook “friend.”  But picture this scenario: Co-workers engage in a dialogue critical of their employer on a MySpace page that can only be accessed by individuals invited and authorized by the page creator to view it.  The employer then terminates these employees after learning about the page and its posts from an authorized viewer. Legal? According to the court in Pietrylo v. Hillstone Restaurant Group d/b/a/ Houston’s, (D.N.J. 2008) , the answer to that question depends, in part, on whether the employer violated a federal statute, the Stored Communications Act (“SCA”) (18 U.S.C. § 2701 et seq.).

The SCA applies to communications stored on Internet sites (such as Facebook, MySpace, Twitter, etc.). It imposes criminal penalties on individuals who gain unauthorized access to such stored communications. Employers can run afoul of the SCA by covertly monitoring their employees’ private social networking postings by, for example, using spyware to track keystrokes to gain log-in information. But the Act’s protections extend beyond such covert measures. “Unauthorized access” also encompasses situations where authorized access is exceeded.  The Act excepts from liability “conduct authorized … by a user of that service with respect to a communication of or intended for that user.”  So long as the information is freely provided by someone who is authorized to and has accessed the private website, the Act permits an authorized user to allow a third party to gain access to the same information the authorized user has access to.

In Pietrylo, the employer gained access to an employee’s password-protected, “by invitation only,” MySpace page when an invited member of the page (also an employee) showed it to a manager at a dinner party. The manager thereafter asked the invited member for her log-in name and password, and used that information to repeatedly access the page and its postings. The court held that a jury could find this means of access not “authorized” under the SCA, if the invited member’s consent was given under duress (the invited member thought that she could get in trouble with the company if she did not provide the information). The jury ultimately returned a verdict against the employer, and found that the employer had, in fact, gained unauthorized access to the MySpace page in violation of the SCA.

The Pietrylo decision and verdict does not mean that every request for log-in information will violate the SCA. Had the invited member in Pietrylo freely given the employer her log-in information, the employer would likely have faced no liability. But whether consent is freely given will often be a difficult question to answer, so employers should be cautious when making requests.

Moreover, the potential legal issues raised by accessing a social networking site do not end with the question of authorized access. Once access is lawfully gained, the issue then becomes, what, if anything, employers can do with the information that is discovered. For an overview discussion of those potential legal issues, see Employers: ‘Keep out!’ Beware intruding in employee web sites by Louis P. DiLorenzo.  

 

Tags: , , , ,