Companies are increasingly being pressured to defend their data protection programs and make trade secret protection a top priority. This pressure arises from many sources, including, reports of corporate espionage by foreign governments, employees’ increased use of smart phones, tablets and external storage devices, and studies showing that a large percentage of departing employees take confidential company information with them when they leave a company’s employ. As a result, companies must evaluate whether their approach to protecting trade secrets is keeping pace with technological advances and whether they have established internal best practices. So what are some of those best practices? Here are just a few of the recommendations that have been created by and will be discussed by my colleagues Sten-Erik Hoidal and Timothy M. O’Shea at an upcoming seminar at Fredrikson & Byron (registration information below):
(1) Conduct a Data Protection Audit
Determine what information is confidential or trade secret, who has access to such information, and where it is stored.
(2) Deploy Security Measures And Policies
Use physical and electronic security measures such as access controls for the building and areas within the building, locked doors and cabinets, password protected files or encryption, ID badges for employees, restricting the location/time/and access to such information, and labeling documents as confidential and trade secret.
(3) Use Appropriate Contractual Protections
Include confidentiality clauses in employment agreements for those employees who will have access to confidential and trade secret information, and use a non-disclosure agreement with employees or any third parties given access to confidential data is critical for protecting confidential information and trade secrets.
(4) Implement Clear, Enforceable Policies Relating To Authorized Use Of Company Property
Implement an electronic use policy that alerts employees that computers are company property and remind them that the company reserves the right to monitor employees’ emails, internet, and computer use (i.e., that the employee has no expectation of privacy).
(5) Implement Procedures For Departing Employees
Conduct exit interviews, eliminate access to computer systems, require return of all company documents and information, and request acknowledgment that employee has complied.
These are just a few of the best practices relating to protection of your company data. If you are interested in learning more about how you can best protect your company data, consider joining us for this seminar on Thursday February 27, 2014 (registration link). In addition to some of the best practices above, the program will offer the following Practical Perspectives:
- Key lessons learned from recent trade secret cases about what evidence is important to support a civil or criminal case for trade secret theft or misappropriation of confidential information.
- How to work with law enforcement and the Department of Justice to seek criminal prosecution against former employees for trade secret and other data theft, as well as preventative best practices that will help support a criminal prosecution.
I will be moderating this discussion with a great group of panelists, including:
- Timothy C. Rank, Assistant U.S. Attorney, U.S. Department of Justice
- Tamara L. White, Supervisory Special Agent – Minneapolis Counterintelligence Program, Federal Bureau of Investigations
- Sten-Erik Hoidal, Attorney, Fredrikson & Byron, P.A.
- Timothy M. O’Shea, Attorney, Fredrikson & Byron, P.A.
The seminar will take place on February 27, 2014, at 7:30 a.m. (Registration and Continental Breakfast), 8:00 – 9:30 a.m. (Panel Discussion and Q&A) at Fredrikson & Byron, 200 South Sixth Street, 40th Floor
Minneapolis. If you are interested:
Click here to register for this seminar! We hope that you can make it so we can continue this discussion!
In early 2013, Snapchat, an app that allows users to send self-destructing photos, became the second-most popular iPhone app with approximately 50 million snaps a day. While Snapchat is aimed at a younger non-business audience (think teens sending “selfies” to their friends), we had recently been talking about the potential legal implications arising from employee use of Snapchat. In the midst of that discussion, along comes Confide. Confide is a free text-based iOS app that permits users to send text/email messages to others which disappear as soon as they are read by the receiving party (the app requires iOS 7.0 or later and is optimized for the iPhone 5).
Confide targets its service to professionals who want to discuss personal, business or legal issues without the fear of an evidentiary trail. In the “Frequently Asked Questions” section of its website, Confide provided its “good use cases for Confide” as follows:
1. Anytime you send an email or text saying “Confidential — don’t forward”
2. Anytime you respond to an email or text with “I’ll call you”
3. Anytime you say “Can you send me your personal email; I’d prefer this conversation not be on work servers”
The FAQ’s go on to state that good uses could include discussions about “[j]ob referrals, HR issues, deal discussions, and even some good-natured office gossip.”
I admit the thought of business messages being sent purposefully so that employees (including management) can have “off-the-record” discussions – that immediately disappear – causes some level of anxiety for the employment lawyer side of me. But, let’s look at how this app works before I provide any thoughts on its business use.
So – in light of all of those features, what do businesses need to be thinking about in deciding whether to embrace or reject this new technology?
- Confide grants users the ability to engage in private communications that won’t be stored anywhere. This could be used for communications that really don’t need to be permanently recorded, such as where to meet for lunch, whether you are attending a particular meeting, or the like.
- The impermanence might be also be good if employees are simply venting to each other about the workplace – providing an outlet for employees to let off harmless steam without those remarks coming back to haunt them, or their employer.
- Confide grants users the ability to engage in private communications that won’t be stored anywhere. This feature and the app’s impermanence might raise problems for businesses required by law to retain certain types of records or preserve documents or data for litigation purposes, or which are are prohibited from engaging in certain types of communications.
- From an employment standpoint, these ultra-private communications could lead to inappropriate discussions between employees – leaving the employer left with trying to work out a “he said, she said” situation without any concrete evidence.
- Confide requires the user to grant complete access to their Address Book. This should raise concerns for companies seeking to protect certain contact information – such as client information. Clients too might not appreciate their contact information being shared freely with Confide.
- Employees may also make improper use of the app – whether to share confidential information, to make plans to go work for a competitor to name just a few, to share confidential information with that competitor, to discuss important internal matters that really ought to be recorded in some fashion, and the list goes on.
In light of the pros and cons above, businesses will have to decide whether they want to encourage “off-the-record” discussions between employees and permit the use of apps like Confide. At the very least, the advent of apps like Confide should serve as a reminder for business to take affirmative steps to keep current with all new technologies to protect business interests, trade secrets, and regulatory and legal obligations. Our next post will address some affirmative actions you can take to stay on top of new technologies.
Does your business or its employees use applications like Confide? If so, how do you regulate the use, and the disappearing nature of the documents? As always, we are interested in your thoughts.
We are always pleased to present posts from our colleagues in Fredrikson & Byron’s Employment & Labor group. This week, we are happy to re-post our colleague Krista Hatcher’s article relating to an employer’s inquiry into an applicant’s criminal history in light of Minnesota’s recent “Ban the Box” law. We thought her commentary relating to online applications may be of particular interest to our readers – so please do read on!
New Guidance from MDHR on “Ban-the-Box” Law, by Krista Hatcher
Minnesota’s new “Ban the Box” law prohibits most employers in Minnesota from inquiring into an applicant’s criminal history until after selecting the applicant for an interview or making a conditional offer of employment. The Minnesota Department of Human Rights, which enforces the new law, recently presented a Ban the Box webinar and published a Technical Guidance document. Although the MDHR’s interpretation is not binding on courts, which may disagree with the agency and construe the law differently, there are a few takeaways that employers may find instructive.
Compliance Will Not Insulate Employers from Discrimination Claims
Minnesota’s Ban the Box law regulates the timing of criminal history inquiries. Even if an employer complies with Ban the Box, however, its use of criminal history information may result in liability if it discriminates against individuals in protected classes. The MDHR suggests employers review the EEOC’s Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964, which says that employers should either: (1) have their criminal history screening practices validated in accordance with EEOC Uniform Guidelines on Employee Selection Procedures; or (2) develop a targeted screening process that takes into consideration at least the nature of the crime, time that has elapsed, and nature of the job for which the individual is applying, and provides for an individualized assessment. Employers that fail to comply with one of these two methods may face claims that their exclusion of applicants based on a criminal record is discriminatory.
Multi-state Employers May Use a Single Electronic Application That Contains a Clear and Unambiguous Disclaimer
According to the MDHR, employers that have operations in multiple states may continue to use a single electronic application, but must clearly and unambiguously inform Minnesota applicants that they need not answer criminal background questions on the application. The MDHR recommends that such language be in bold text and a different font, and cautions that if a Minnesota applicant does answer a criminal background question on the application the employer should not use or track the information. Although the MDHR did not discuss the use of paper applications by multi-state employers, the implication seems to be that a disclaimer on the application would be insufficient and multi-state employers should use a separate paper application in Minnesota that does not include any criminal history inquiries.
For more information on this issue, please see Ingrid Culp’s article, “New Minnesota Law Will Render Most Employment Applications Now In Use Unlawful.” For assistance with complying with the Ban the Box law or other questions related to background checks, please contact an attorney in Fredrikson & Byron’s Employment & Labor Law Group.
In the past, we have discussed defamation claims against individuals arising from their own online reviews and posts. (See Should Healthcare Professionals Sue to Protect Their Online Reputations?) The case we discuss today adds a new twist. In December 2013, briefs were filed in the Sarah Jones v. Dirty-World Entertainment Recordings, LLC d.b.a theDirty.com with the Sixth Circuit Court of Appeals challenging a federal district court’s ruling that allowed a defamation claim to proceed against an Arizona-based gossip website (thedirty.com) for the anonymous posts of its readers. Following a failed motion for summary judgment, the case against thedirty.com proceeded to trial, and the jury awarded $338,000 to Sarah Jones for the defamation claim.
The case stems from posts to thedirty.com which disclosed details of the sexual history of Sarah Jones, a former school teacher and Cincinnati Bengals cheerleader, and her ex-husband. According to the Associated Press, Internet Giants Weigh In On Defamation Lawsuit, Nik Richie, thedirty.com owner, views each post, decides which submissions merit publication, and then adds commentary to the posts if warrant. In the posts concerning Ms. Jones, Richie added commentary regarding the culpability of high school teachers having sexual encounters with minor students (Sarah Jones had earlier pled guilty to having a sexual relationship with a former teenage student.)
So what is the significance of this case – it’s just one tabloid-gossip website – right? Well, Facebook, Twitter, Amazon, Microsoft, Gawker, Buzzfeed and Google all must have found the case significant since each entity participated in filing an amicus brief with the Sixth Circuit so that their concerns could be heard in the appeal. The web providers are troubled that the federal district court’s ruling will have a “significant chilling” aspect to online speech. According to the amicus brief filed in the case, the decision undermines the Communications Decency Act – which fosters online speech and grants broad immunity to web providers. The Act provides, in part:
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
47 U.S.C. § 230 (c)(1).
In the brief, the web providers argued that if the case is allowed to stand, online providers would be put in the precarious position of having to judge the authenticity and accuracy of each post – which would be a daunting, if not, an impossible feat. The brief went on to state that “[i]f websites are subject to liability for failing to remove third-party content whenever someone objects, they will be subject to the ‘heckler’s veto,’ giving anyone who complains unfettered power to censor speech.” The amicus brief further points out that the decision is contrary to hundreds of court cases upholding immunity for web providers under the Communications Decency Act.
Commentators have questioned whether the Court’s ruling in thedirty.com decision is based on the judge’s personal bias and distaste for websites like thedirty.com – pointing to the Court’s holding that Richie’s style and commentary encourage offensive comments on the site. The Court’s personal distaste for the website may have had on impact on the decision, but the Court’s decision primarily focuses on Richie’s own involvement in the commentary. The Court reasoned that Richie’s commentary about Jone’s conviction for sexual misconduct with a minor validated the anonymous posts, and tied Richie to the defamation claim (i.e. he was being held liable for his own commentary, not that of a third-party). The Court concluded:
…[A] website owner who intentionally encourages illegal or actionable third-party postings to which he adds his own comments ratifying or adopting the posts becomes a “creator” or “developer” of that content and is not entitled to immunity.
It certainly would have been interesting to see how the Court would have ruled had Richie himself not posted any commentary regarding Jones’ criminal past.
So how does this affect business and social media? Web providers are concerned that the ruling, if allowed to stand, would significantly limit the immunity provided to web providers under the Communications Decency Act, thus imposing an obligation on web-based businesses to act as a gatekeeper for online speech. Online businesses are reasonably concerned that this would open the floodgates to potential litigation.
What would happen if a website, such as Yelp, could be sued for the negative posts of online reviewers? How would Yelp, from a practical business standpoint, know, or find out, the truth behind a reviewer’s post that a particular restaurant’s food or service was inadequate, or conversely whether the reviewer simply had a grudge against this particular business? It is a good question – and one that has web providers on edge. For me the real question is – would Yelp be held responsible for that bad restaurant review under thedirty.com analysis outlined above, or would that potential liability be limited to situations where Yelp (or one of its employees) decided to weigh in on the discussion – i.e. adding its own opinions or commentary? And remember, truth is an absolute defense to a claim for defamation – so if the commentary is true, the defamation claim would fail.
So what do you think? Should web providers be provided broad immunity against defamatory posts on their web sites – particularly when the web providers include their own, potentially defamatory, commentary? As always, we are interested in your thoughts and comments.
Can a Facebook post count as a sexual harassment complaint to an employer?
The Tenth Circuit recently said no in Debord v. Mercy Health Sys. Of Kan., Inc., 2013 U.S. App. LEXIS 23733 (10th. Cir. Nov. 26, 2013). The case involved Sara Debord, a nuclear-medicine technician, who claimed her employer, Mercy Hospital in Independence, Kansas, retaliated against her for making a complaint of sexual harassment. The “complaint” in question was a Facebook post Debord made stating:
“Oh, it’s hard to explain…basically, the MRI tech is getting paid for doing MRI even though he’s not registered and myself, nor the CT tech are getting paid for our areas…and [her supervisor] tells me ‘good luck taking it to HR because you’re not supposed to know that’ plus [her supervisor] adds money on peoples [sic] checks if he likes them (I’ve been one of them)…and he needs to keep his creapy [sic] hands to himself…just an all around d-bag!!” (Emphasis added.)
The post was viewed by Debord’s co-workers, who reported it to HR. HR met with Debord, and she repeatedly denied making the posts. When she eventually admitted she made the post, HR asked her about the “creepy hands” comment. She said that she did not think that her supervisor sexually harassed her, but instead he was just “a pervert.” Debord was eventually terminated for failing to cooperate with HR’s investigation, lying about the posts, and disrupting the workplace by sending false messages about the investigation to other employees.
Debord then sued Mercy Hospital, for, among other things, retaliating against her for making a claim of sexual harassment. She claimed that the Facebook post was her way of reporting sexual harassment, and Mercy’s decision to terminate her for the post was unlawful. The Tenth Circuit rejected her argument, finding that Debord’s Facebook post “falls short.” The court explained that Mercy had an “otherwise flexible reporting system,” and that her post, by itself, did not provide any notice to Mercy. The court noted that Debord did not attempt to avail herself of Mercy’s reporting system and, when confronted, denied making the posts. Based on her conduct, the court refused to believe her argument that she was attempting to report sexual harassment to Mercy in a meaningful way and denied her retaliation claim.
Much of the court’s decision rested on the employee’s conduct in denying that she made the posts and failing to follow the employer’s reporting policy. Under different circumstances, might there be situations in which a Facebook post could constitute a report of sexual harassment to an employer? What if the employer did not have a good reporting system in place?
Authored by Kristen Barlow Rand, Associate, Fredrikson & Byron, P.A. Thanks, Kristen, for the great post!
IT Professionals Walk a Tightrope When Dealing With Illegal Activity of Employees on Company-Owned Devices
In our November 8, 2013, post No Hall Pass for School Officials in School Texting Scandal, we discussed the impact of inappropriate and possibly illegal employee activity on company-owned electronic devices for both employees and organizations. Now, we turn our attention to the company’s IT staff, and the professional, legal and ethical dilemmas many might face when dealing with the improper conduct of employees.
The Importance of IT Protocols
Employee misconduct comes in many forms – the conduct might simply amount to a violation of company policy or it might amount to a criminal act. Regardless, organizations should consider implementing protocols for IT staff to follow when reporting and/or investigating the possible misconduct. For example, chain-of-command – to whom will IT staff report possible misconduct? Is there a direct line to a supervisor, or does the IT professional report these incidents to a senior level manager? What happens if, as in the Coatsville case, the IT staffer believes the supervisor is involved in the illegal conduct? Does corporate protocol anticipate these circumstances? These questions should be discussed with all stakeholders so that the IT protocol includes a procedure that works for the organization. So, what are the important takeaways relating to IT protocols?
- The protocol should tell IT staffers what to do with evidence of possible misconduct. For example, who is responsible for and/or authorized to report possible misconduct to senior management and/or law enforcement personnel.
- Organizations should train IT staff on the protocol so that they know how to respond when confronted with possible misconduct.
- The protocol should outline to IT staff when to engage with inside or outside legal counsel to insure that preservation obligations of the company are met. IT staff should not be forced to make this important decision in a vacuum.
As we often say, a good protocol should tell employees what responsibilities that each employee holds, and the obligations of those employees to perform certain duties when they are faced with employee misconduct.
What to do When Law Enforcement Becomes Involved
Another issue that should be addressed for your IT professionals is what to do when, as in Coatsville, law enforcement personnel become involved. For example, in the Coatsville matter, the IT Director was first told by the District Attorney to preserve the integrity of the computer system and its content as evidence of an alleged illegal act. Then, the Acting Coatsville Superintendent directed the IT Director to give-up the computer codes to an outside computer firm. The IT staffer walks a tightrope in complying with the directives of a supervisor while simultaneously following the legal requirements to preserve data and records for criminal prosecution. What can a company do?
- Have a protocol in place that clearly delineates how IT personnel should react to involvement of law enforcement.
- Supervisors or managers too should know how to respond to reports of misconduct. For example, supervisors and managers should know that intimidation of IT professionals is not appropriate following a report of possible misconduct. For a good example, see dailylocal.com, More details in alleged harassment of texting scandal whistleblowers, October 1, 2013. (The Acting Superintendent’s email to the IT Director ordering compliance with his demands lest he be slapped with insubordination regardless of what the county’s district attorney ordered).
According to the District Attorney involved in the Coatsville matter, an organization facing a criminal investigation should map out a clear strategy for preserving any computer evidence, backing up files with minimal disruption to the organization’s operations, and then a plan to communicate the strategy to law enforcement personnel to prevent any inference of company interference in the investigation. See edweek.com, Pa. Texting Scandal Highlights Complexities for IT Leaders, October 16, 2013. “The IT director really at that point has a double set of duties,” Mr. Hogan said. “They have to preserve any data that might be related to the investigation from the standpoint of the government. They also have a duty to follow any lawful orders of the [enterprise] regarding that data.” As noted above – thinking about this upfront so that IT professionals have a protocol to follow would have alleviated some of the strain on the IT Director in this case – as well as the possible conflict with local law enforcement.
Do you Hire an Outside Forensic Vendor?
Finally, another big issue commonly faced by organizations is when to hire an outside forensic firm to preserve computer evidence and the integrity of the entire computer systems. The retention of an outside firm can help negate any inference that the business is involved in covering-up, or worse, destroying, evidence. A well thought out and documented protocol might include a section addressing when to hire a forensic computer firm, how that firm will be retained, and who will be responsible for working with the firm. Preservation of evidence is an important component of any potential legal action – criminal or civil. As a result, having a clear road map of how an organization responds to preservation of evidence can help save the organization from the threat of sanctions if litigation later develops.
Have you dealt with employee misconduct on employee devices? Were you equipped to respond? As always, we welcome your insight.
The texting/tweeting scandals just keep coming – and once again this one is all true. This unfortunate episode comes from the Coatsville Area School District in Pennsylvania. The scandal highlights technology, ethics and employment issues, as well as the complexities that IT staff must navigate when dealing with evidence of alleged immoral and illegal activities on company-owned devices. In this first post, we will look at the issues businesses face when employees engage in nefarious activity on company-owned electronic devices.
So, let’s take a look at some of the facts. The Coatesville, Pa., School District Superintendent Richard Como and Coatsville Area High School Athletic Director Jim Donato recently resigned following the disclosure of their inflammatory texting conversation. The pair had exchanged a myriad of racist and sexist slurs directed at students, faculty, and administration officials on district-owned cell phones. In one appalling exchange, Como and Donato used fourteen slurs using the “n” word. In another text, the pair allegedly discussed financial misdealing within the district and monetary kickbacks.
The district’s IT Director (Hawa) discovered the racist slurs while performing a routine data transfer on Athletic Director Donato’s district-owned cell phone. Mr. Hawa reported the incident to the district’s deputy superintendent, and then to the district’s attorney. News reports confirm that Hawa ultimately sent the transcript to the Chester County District Attorney after he became concerned that some Coatsville school board members and their attorney were attempting to cover-up the texting scandal. See Daily Local News, Coatsville school officials sighted at courthouse, dailylocal.com, October 18, 2013. The District Attorney initiated a grand jury proceeding into the texting scandal, the alleged financial kickbacks, and other alleged improper activities of the school employees. See abclocal.go.com, Grand jury investigation into Coatsville texting scandal, October 15, 2013. The NAACP also conducted its own hearing into the incident revealing additional claims that the district discriminated against low-income and minority families, as well as disabled children. The NAACP plans to investigate the claims made at the hearing for possible legal action against the district. See philly.com, Coatsville school board denies accusation of bias, October 18, 2013.
So, what are the lessons learned from this scandal? First, there are lessons for anyone who uses social media, electronic devices, etc.:
- In the digital age, everyone must understand that electronic communications will NOT remain private.
- Emails and texts – whether good or bad – do not disappear. As discussed in prior posts, forensic experts can often easily retrieve “deleted” information from a cell phone or computer. If you would not say what you are saying in front of a judge (or your grandmother) – don’t post it!
- Don’t use your work provided device as if it were your own device. As happened here, what happens if you turn in that device for a routine data transfer? What will someone find? Company officials and IT staff – under appropriate policies and procedures – will have the right to investigate information contained on company-owned cell phones and computers. Employees must understand that even though they might be permitted to use a company-owned device for business and personal purposes, that device, and the content on that device, still remain the property of the business.
Second, there are important lessons for private and public corporate entities:
- Implement policies and procedures that permit you to monitor, inspect and act upon inappropriate text messages or interactions.
- Implement policies and procedures that outline the circumstances and procedures for reporting alleged illegal activities. These policies could spell out the appropriate chain-of-command for reporting this activity, as well as the individual in the organization who has the authorization to discuss company matters with outside law enforcement officials.
- Implement policies and procedures on appropriate and inappropriate use of company provided devices. Then, train your employees on what that means – clearly not everyone understands this concept yet.
Third, evidence obtained from a company-owned device might be used in a termination decision, however, there could be consequences beyond loss of employment for inappropriate text messages:
- For example, the former Coatsville Superintendent may find out his conduct might negate the school district’s obligation to pay-out his retirement pension. I bet that Como never thought that his texts with the Athletic Director could ever jeopardize his reputation, career, and ultimately his retirement pension.
- Depending on the content of the inappropriate exchanges, district attorneys could use employee text messages to prosecute employees or their employers under criminal statutes. Just think of what may face the Superintendent – “Theft by deception or extortion, theft of services, tampering with public records or information, are a few stated crimes listed under the forfeiture act that could cause Como to forfeit his pension.” See Daily Times News, delcotimes.com, Former Coatsville schools chief at center of racist text saga files for pension, November 6, 2013.
- The EEOC, local departments of human rights or the NAACP may use those text messages to support claims of discrimination, retaliation or unequal treatment against the employer.
In short, employees need to exercise some modicum of restraint in their communications. Employers, knowing that employees may not do so, need to have policies in place to respond to inappropriate and possibly illegal conduct by employees. Are you prepared?
You really can’t make this stuff up. The story sounds like the plot of a D.C. beltway suspense novel – senior White House director involved with national security and Iranian nuclear negotiations caught and fired after anonymously leaking sensitive national security information, and lobbing insults at Capitol Hill, White House staffers and politicians via Twitter. The abrasive tweets criticized government policies, and even the actions of the director’s boss, the President of the United States. But someone did not make it up…sadly, it is all true. See White House Official Fired Over Anonymous Tweets, Reuters.com, October 23, 2013.
Jofi Joseph, was the director of nuclear non-proliferation on the White House National Security Council staff. But his employment was terminated after the government discovered that for two and a half years, Joseph anonymously posted hundreds of the blunt tweets like those outlined above. According to news reports, Joseph described himself in his Twitter bio as a “keen observer” of national security, noting that he was unapologetic for saying what others only thought (the Twitter account has since been shut down). See White House Staffer Fired for Tweets Criticizing Bosses, NBCWashington.com, October 23, 2013. The White House confirmed Joseph’s termination.
So have these highly publicized terminations deterred employees from posting negative comments regarding their employers? Probably not. Yet, the lesson from this recent termination (and so many of those in the past) is that even an employee’s anonymous posts can be uncovered and have a significant negative impact on that individual’s job security and reputation. In this day and age, individuals should not rely upon the supposed anonymity of the internet to protect their identities. As an aside, Joseph’s antics could also impact others… Joseph’s wife is currently employed in a high profile job on Capitol Hill. I wonder whether Joseph had any thought about how his actions might affect his wife’s career. Whether he thought about it or not, the circumstances surrounding his termination might affect how others view his family. When conducting training on social media use for employees, I always caution employees to consider all the ramifications of their actions before proceeding down the road of negative posts. This situation certainly highlights why this guidance is important.
From an employment perspective, companies should consider how their social media policies handle employees’ negative posts or, more importantly, the leak of sensitive information. Employers should consider having procedures in place to investigate and address potentially damaging posts. As you all know from past posts, certain laws, e.g. the National Labor Relations Act, may protect employees for negative comments on the internet (see A Reminder to Avoid Prying Into Private Group Facebook Pages!) but not all employee posts are protected. Employers should be prepared to act on those that are not – particularly if the posts contain confidential information.
Have you ever personally posted something you later regretted, or have you had to address negative employee posts in the workplace? Do you have the policies and procedures in place to handle these situations? As always, we welcome your insight.
Do private Facebook wall posts fall within the protection of the Federal Stored Communications Act (“SCA”)? The United States District Court of New Jersey ruled they do in Ehling v. Monmouth-Ocean Hospital Service Corp., Civ. No. 2:11-CV-03305 (WJM) (Aug. 20, 2013). So what is the SCA and how could the Court’s ruling affect your HR decisions?
Here is the case in a nutshell. Plaintiff Deborah Ehling, a registered nurse and paramedic, frequently posted comments and photos to her Facebook wall – a wall that limited access to only her Facebook friends. Plaintiff was not shy with her comments. For example, after a shocking shooting in Washington D.C., Plaintiff posted the following:
“[a]n 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning killing an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards ….. go to target practice.”
Plaintiff’s employer, Monmouth-Ocean Hospital Service Corp. (“MONOC”), received a copy of the post from a co-worker and Facebook friend. As many of you likely know – most employers learn about employee Facebook posts because their so-called “friends” turn them in.
After receiving the post, MONOC suspended Plaintiff with pay stating her comments reflected a “deliberate disregard for patient safety.” Plaintiff filed a complaint with the National Labor Relations Board (“NLRB”). The NLRB found MONOC did not violate the National Labor Relations Act, and that no privacy violation occurred as the post was sent unsolicited to MONOC management.
MONOC ultimately terminated Plaintiff for other disciplinary violations, unexcused absences, and her failure to return to work after numerous FMLA leaves of absences. Ehling then filed suit in federal district court alleging, among other things, that MONOC violated the SCA, and the common-law claim of invasion of privacy for inappropriately accessing her Facebook post.
So, let’s step back a minute. What does the SCA do? The purpose of the Act is to protect information that a “communicator” meant to keep private. The SCA applies to: (1) electronic communications; (2) that were transmitted via an electronic communication service; (3) that are in electronic storage; and (4) that are not public. Given this, the Ehling Court ruled that Facebook posts configured to be private – not open for general public viewing – met all four criteria. “The Court note[d] that when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls.”
Although Ehling chose to keep her Facebook wall private, and hence her posts were covered under the SCA, the Court determined the “authorized user exception” applied. The authorized user exception applies where (1) access to the communication was “authorized,” (2) “by a user of that service,” (3) “with respect to communication … intended for that user.” Each prong of this exception was met in the Ehling case. Access to Ehling’s Facebook posts was “authorized” as her co-worker voluntarily – without solicitation or coercion – provided copies to management. The co-worker was also a “user” under the exception as he had a Facebook account, and Plaintiff had friended him. Plaintiff intended her Facebook rants to be viewed by her friends – including all of her Facebook friends at work. The Court, therefore, dismissed Ehling’s claims under the SCA. Interestingly, Ehling’s common law claim for an invasion of privacy into her Facebook account also failed. The Court, just as with the SCA claims, found that there was no intentional intrusion into her Facebook account.
So what might an employer learn from Ehling v. MONOC? First, at least one court found that an employee’s private Facebook posts fell within the protection of the SCA, and that accessing them without authorization might open up the employer to liability. Second, how management accesses, or receives copies of, the employee’s Facebook post matters. If management solicits, or coerces, an employee to provide copies of, or access to, another’s Facebook posts, or asks the employee to login to Facebook to view the other employee’s account, the SCA exception might not apply – the access might not be “authorized.” But if, as in Ehling, a co-worker voluntarily provides information to management without strings attached the access might fall within the “authorized user” exception.
This case should remind all Facebook users to think about who their Facebook “friends” are…would your “friend” turn you in to an employer for a thoughtless Facebook comment? Food for thought.
Do school districts need help with monitoring students’ social media behaviors to prevent bullying, threats, acts of violence and self-harm? Several districts believe so. Following a pilot program, Glendale Unified School District in Glendale, California recently hired Geo Listening to monitor and report on the cyber-activity of over 14,000 middle and high school students.
According to Geo Listening’s website, their mission is to “provide more timely and relevant information to school administrators so they can better intervene in the lives of children.” The company’s monitoring service analyzes and reports on the social media activity of students from their public posts. Geo Listening then provides a daily report of conduct such as bullying, cyber-bullying, despair, hate, harm to self or others, crime, vandalism, substance/drug abuse, and truancy. What to do with the monitored information is then left to the discretion of the school district. Geo Listening simply hunts and gathers for the data. Despite this, the program has raised some concerns over privacy and free speech rights by students.
Yet, school districts do not provide a list of students to Geo Listening. Rather, the company uses “deductive reasoning to link public accounts” to the students. LA Times, Glendale district says social media monitoring is for student safety, (Sept. 14, 2013). Geo Listening declined to articulate what that means and how that is accomplished. However, if the school district does not provide student names to Geo Listening, or reveal private confidential information in the monitoring process, then the district is not likely violating any privacy laws. Indeed, many employers hire companies to review public social media posts of applicants or employees. (See More Risks to Job Applicants with Questionable Social Media History – where we talked about Social Intelligence, a company which performs social media background checks on applicants for employers).
Geo Listening also contends it does not violate student privacy – it neither hacks into students’ accounts nor peeks into private communications or emails. According to Geo Listening, the students themselves make the information public – the company simply monitors where and what kids communicate. “Parents and school district personnel – they are not able to effectively listen to the conversation where it’s happening now,” Geo Listening CEO told CNN, California school district hires firm to monitor students’ social media, (Sept. 15, 2013). Geo Listening believes its service bridges this communications gap without violating any privacy or free speech rights.
In the end, despite the criticisms and questions – has monitoring Glendale’s students helped? Superintendent Richard Sheehan certainly believes that the monitoring will assist the district in providing a safer environment for students. Recently, the district was able to intervene on behalf of a student who had expressed a desire on social media to end his life, and to date, the district has not commenced any disciplinary action for conduct reported under the monitoring program – even against a student who posted a photo of himself holding what turned out to be a fake gun. Sheehan’s staff simply talked with the student’s parents about the dangers of posting those types of photos online. See, CNN, California school district hires firm to monitor students’ social media, (Sept. 15, 2013).
What do you think? Should school districts look at all student behavior – in and out of the classroom? As we have discussed previously, social media platforms are public venues. Information disclosed is no different than carrying on a conversation in a public place. Regardless, when, how and why we look at that information becomes an important question to ask. How would this apply in the employment context? Should employers be monitoring the communications of its employees online – and what information would employers be looking at? As always, we welcome your input.
Teresa is the Chair of Fredrikson’s Non-Competes and Trade Secrets Group, and an MSBA Certified Labor and Employment Law Specialist. She counsels business clients on risk management and policy development relating to employee use of technology, and also litigates their business and employment disputes. Teresa trains, writes and lectures extensively on legal issues arising from business use of technology and social media.