The texting/tweeting scandals just keep coming – and once again this one is all true. This unfortunate episode comes from the Coatsville Area School District in Pennsylvania. The scandal highlights technology, ethics and employment issues, as well as the complexities that IT staff must navigate when dealing with evidence of alleged immoral and illegal activities on company-owned devices. In this first post, we will look at the issues businesses face when employees engage in nefarious activity on company-owned electronic devices.
So, let’s take a look at some of the facts. The Coatesville, Pa., School District Superintendent Richard Como and Coatsville Area High School Athletic Director Jim Donato recently resigned following the disclosure of their inflammatory texting conversation. The pair had exchanged a myriad of racist and sexist slurs directed at students, faculty, and administration officials on district-owned cell phones. In one appalling exchange, Como and Donato used fourteen slurs using the “n” word. In another text, the pair allegedly discussed financial misdealing within the district and monetary kickbacks.
The district’s IT Director (Hawa) discovered the racist slurs while performing a routine data transfer on Athletic Director Donato’s district-owned cell phone. Mr. Hawa reported the incident to the district’s deputy superintendent, and then to the district’s attorney. News reports confirm that Hawa ultimately sent the transcript to the Chester County District Attorney after he became concerned that some Coatsville school board members and their attorney were attempting to cover-up the texting scandal. See Daily Local News, Coatsville school officials sighted at courthouse, dailylocal.com, October 18, 2013. The District Attorney initiated a grand jury proceeding into the texting scandal, the alleged financial kickbacks, and other alleged improper activities of the school employees. See abclocal.go.com, Grand jury investigation into Coatsville texting scandal, October 15, 2013. The NAACP also conducted its own hearing into the incident revealing additional claims that the district discriminated against low-income and minority families, as well as disabled children. The NAACP plans to investigate the claims made at the hearing for possible legal action against the district. See philly.com, Coatsville school board denies accusation of bias, October 18, 2013.
So, what are the lessons learned from this scandal? First, there are lessons for anyone who uses social media, electronic devices, etc.:
- In the digital age, everyone must understand that electronic communications will NOT remain private.
- Emails and texts – whether good or bad – do not disappear. As discussed in prior posts, forensic experts can often easily retrieve “deleted” information from a cell phone or computer. If you would not say what you are saying in front of a judge (or your grandmother) – don’t post it!
- Don’t use your work provided device as if it were your own device. As happened here, what happens if you turn in that device for a routine data transfer? What will someone find? Company officials and IT staff – under appropriate policies and procedures – will have the right to investigate information contained on company-owned cell phones and computers. Employees must understand that even though they might be permitted to use a company-owned device for business and personal purposes, that device, and the content on that device, still remain the property of the business.
Second, there are important lessons for private and public corporate entities:
- Implement policies and procedures that permit you to monitor, inspect and act upon inappropriate text messages or interactions.
- Implement policies and procedures that outline the circumstances and procedures for reporting alleged illegal activities. These policies could spell out the appropriate chain-of-command for reporting this activity, as well as the individual in the organization who has the authorization to discuss company matters with outside law enforcement officials.
- Implement policies and procedures on appropriate and inappropriate use of company provided devices. Then, train your employees on what that means – clearly not everyone understands this concept yet.
Third, evidence obtained from a company-owned device might be used in a termination decision, however, there could be consequences beyond loss of employment for inappropriate text messages:
- For example, the former Coatsville Superintendent may find out his conduct might negate the school district’s obligation to pay-out his retirement pension. I bet that Como never thought that his texts with the Athletic Director could ever jeopardize his reputation, career, and ultimately his retirement pension.
- Depending on the content of the inappropriate exchanges, district attorneys could use employee text messages to prosecute employees or their employers under criminal statutes. Just think of what may face the Superintendent – “Theft by deception or extortion, theft of services, tampering with public records or information, are a few stated crimes listed under the forfeiture act that could cause Como to forfeit his pension.” See Daily Times News, delcotimes.com, Former Coatsville schools chief at center of racist text saga files for pension, November 6, 2013.
- The EEOC, local departments of human rights or the NAACP may use those text messages to support claims of discrimination, retaliation or unequal treatment against the employer.
In short, employees need to exercise some modicum of restraint in their communications. Employers, knowing that employees may not do so, need to have policies in place to respond to inappropriate and possibly illegal conduct by employees. Are you prepared?
You really can’t make this stuff up. The story sounds like the plot of a D.C. beltway suspense novel – senior White House director involved with national security and Iranian nuclear negotiations caught and fired after anonymously leaking sensitive national security information, and lobbing insults at Capitol Hill, White House staffers and politicians via Twitter. The abrasive tweets criticized government policies, and even the actions of the director’s boss, the President of the United States. But someone did not make it up…sadly, it is all true. See White House Official Fired Over Anonymous Tweets, Reuters.com, October 23, 2013.
Jofi Joseph, was the director of nuclear non-proliferation on the White House National Security Council staff. But his employment was terminated after the government discovered that for two and a half years, Joseph anonymously posted hundreds of the blunt tweets like those outlined above. According to news reports, Joseph described himself in his Twitter bio as a “keen observer” of national security, noting that he was unapologetic for saying what others only thought (the Twitter account has since been shut down). See White House Staffer Fired for Tweets Criticizing Bosses, NBCWashington.com, October 23, 2013. The White House confirmed Joseph’s termination.
So have these highly publicized terminations deterred employees from posting negative comments regarding their employers? Probably not. Yet, the lesson from this recent termination (and so many of those in the past) is that even an employee’s anonymous posts can be uncovered and have a significant negative impact on that individual’s job security and reputation. In this day and age, individuals should not rely upon the supposed anonymity of the internet to protect their identities. As an aside, Joseph’s antics could also impact others… Joseph’s wife is currently employed in a high profile job on Capitol Hill. I wonder whether Joseph had any thought about how his actions might affect his wife’s career. Whether he thought about it or not, the circumstances surrounding his termination might affect how others view his family. When conducting training on social media use for employees, I always caution employees to consider all the ramifications of their actions before proceeding down the road of negative posts. This situation certainly highlights why this guidance is important.
From an employment perspective, companies should consider how their social media policies handle employees’ negative posts or, more importantly, the leak of sensitive information. Employers should consider having procedures in place to investigate and address potentially damaging posts. As you all know from past posts, certain laws, e.g. the National Labor Relations Act, may protect employees for negative comments on the internet (see A Reminder to Avoid Prying Into Private Group Facebook Pages!) but not all employee posts are protected. Employers should be prepared to act on those that are not – particularly if the posts contain confidential information.
Have you ever personally posted something you later regretted, or have you had to address negative employee posts in the workplace? Do you have the policies and procedures in place to handle these situations? As always, we welcome your insight.
Do private Facebook wall posts fall within the protection of the Federal Stored Communications Act (“SCA”)? The United States District Court of New Jersey ruled they do in Ehling v. Monmouth-Ocean Hospital Service Corp., Civ. No. 2:11-CV-03305 (WJM) (Aug. 20, 2013). So what is the SCA and how could the Court’s ruling affect your HR decisions?
Here is the case in a nutshell. Plaintiff Deborah Ehling, a registered nurse and paramedic, frequently posted comments and photos to her Facebook wall – a wall that limited access to only her Facebook friends. Plaintiff was not shy with her comments. For example, after a shocking shooting in Washington D.C., Plaintiff posted the following:
“[a]n 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning killing an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards ….. go to target practice.”
Plaintiff’s employer, Monmouth-Ocean Hospital Service Corp. (“MONOC”), received a copy of the post from a co-worker and Facebook friend. As many of you likely know – most employers learn about employee Facebook posts because their so-called “friends” turn them in.
After receiving the post, MONOC suspended Plaintiff with pay stating her comments reflected a “deliberate disregard for patient safety.” Plaintiff filed a complaint with the National Labor Relations Board (“NLRB”). The NLRB found MONOC did not violate the National Labor Relations Act, and that no privacy violation occurred as the post was sent unsolicited to MONOC management.
MONOC ultimately terminated Plaintiff for other disciplinary violations, unexcused absences, and her failure to return to work after numerous FMLA leaves of absences. Ehling then filed suit in federal district court alleging, among other things, that MONOC violated the SCA, and the common-law claim of invasion of privacy for inappropriately accessing her Facebook post.
So, let’s step back a minute. What does the SCA do? The purpose of the Act is to protect information that a “communicator” meant to keep private. The SCA applies to: (1) electronic communications; (2) that were transmitted via an electronic communication service; (3) that are in electronic storage; and (4) that are not public. Given this, the Ehling Court ruled that Facebook posts configured to be private – not open for general public viewing – met all four criteria. “The Court note[d] that when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls.”
Although Ehling chose to keep her Facebook wall private, and hence her posts were covered under the SCA, the Court determined the “authorized user exception” applied. The authorized user exception applies where (1) access to the communication was “authorized,” (2) “by a user of that service,” (3) “with respect to communication … intended for that user.” Each prong of this exception was met in the Ehling case. Access to Ehling’s Facebook posts was “authorized” as her co-worker voluntarily – without solicitation or coercion – provided copies to management. The co-worker was also a “user” under the exception as he had a Facebook account, and Plaintiff had friended him. Plaintiff intended her Facebook rants to be viewed by her friends – including all of her Facebook friends at work. The Court, therefore, dismissed Ehling’s claims under the SCA. Interestingly, Ehling’s common law claim for an invasion of privacy into her Facebook account also failed. The Court, just as with the SCA claims, found that there was no intentional intrusion into her Facebook account.
So what might an employer learn from Ehling v. MONOC? First, at least one court found that an employee’s private Facebook posts fell within the protection of the SCA, and that accessing them without authorization might open up the employer to liability. Second, how management accesses, or receives copies of, the employee’s Facebook post matters. If management solicits, or coerces, an employee to provide copies of, or access to, another’s Facebook posts, or asks the employee to login to Facebook to view the other employee’s account, the SCA exception might not apply – the access might not be “authorized.” But if, as in Ehling, a co-worker voluntarily provides information to management without strings attached the access might fall within the “authorized user” exception.
This case should remind all Facebook users to think about who their Facebook “friends” are…would your “friend” turn you in to an employer for a thoughtless Facebook comment? Food for thought.
Do school districts need help with monitoring students’ social media behaviors to prevent bullying, threats, acts of violence and self-harm? Several districts believe so. Following a pilot program, Glendale Unified School District in Glendale, California recently hired Geo Listening to monitor and report on the cyber-activity of over 14,000 middle and high school students.
According to Geo Listening’s website, their mission is to “provide more timely and relevant information to school administrators so they can better intervene in the lives of children.” The company’s monitoring service analyzes and reports on the social media activity of students from their public posts. Geo Listening then provides a daily report of conduct such as bullying, cyber-bullying, despair, hate, harm to self or others, crime, vandalism, substance/drug abuse, and truancy. What to do with the monitored information is then left to the discretion of the school district. Geo Listening simply hunts and gathers for the data. Despite this, the program has raised some concerns over privacy and free speech rights by students.
Yet, school districts do not provide a list of students to Geo Listening. Rather, the company uses “deductive reasoning to link public accounts” to the students. LA Times, Glendale district says social media monitoring is for student safety, (Sept. 14, 2013). Geo Listening declined to articulate what that means and how that is accomplished. However, if the school district does not provide student names to Geo Listening, or reveal private confidential information in the monitoring process, then the district is not likely violating any privacy laws. Indeed, many employers hire companies to review public social media posts of applicants or employees. (See More Risks to Job Applicants with Questionable Social Media History – where we talked about Social Intelligence, a company which performs social media background checks on applicants for employers).
Geo Listening also contends it does not violate student privacy – it neither hacks into students’ accounts nor peeks into private communications or emails. According to Geo Listening, the students themselves make the information public – the company simply monitors where and what kids communicate. “Parents and school district personnel – they are not able to effectively listen to the conversation where it’s happening now,” Geo Listening CEO told CNN, California school district hires firm to monitor students’ social media, (Sept. 15, 2013). Geo Listening believes its service bridges this communications gap without violating any privacy or free speech rights.
In the end, despite the criticisms and questions – has monitoring Glendale’s students helped? Superintendent Richard Sheehan certainly believes that the monitoring will assist the district in providing a safer environment for students. Recently, the district was able to intervene on behalf of a student who had expressed a desire on social media to end his life, and to date, the district has not commenced any disciplinary action for conduct reported under the monitoring program – even against a student who posted a photo of himself holding what turned out to be a fake gun. Sheehan’s staff simply talked with the student’s parents about the dangers of posting those types of photos online. See, CNN, California school district hires firm to monitor students’ social media, (Sept. 15, 2013).
What do you think? Should school districts look at all student behavior – in and out of the classroom? As we have discussed previously, social media platforms are public venues. Information disclosed is no different than carrying on a conversation in a public place. Regardless, when, how and why we look at that information becomes an important question to ask. How would this apply in the employment context? Should employers be monitoring the communications of its employees online – and what information would employers be looking at? As always, we welcome your input.
Remember the days when a simple firewall and anti-virus software protected a corporate network? Unfortunately, to thwart today’s computer villains (often sponsored by foreign governments), companies may require a more “James Bond” type of defense. For this reason, investors have pumped hundreds of millions of dollars into advanced cybersecurity platforms – betting that businesses will finally get their heads into the security game. “Rare is the corporation whose network has not yet been breached,” Sameer Gandhi, venture capitalist with Accel Partners reported to USAToday, Crowdsourcing, data mining help stop hackers, (Sept. 11, 2013). “The reality is that these threats are becoming more sophisticated, and we can expect them in higher volume in the future.” (Of course, Accel Partners has an interest in businesses beefing up their security protocols, since Accel recently invested millions into a new security company – CrowdStrike – to further develop its anti-hacking platform. See Danny Yadron, Firm that Tracks Foreign Hackers Gets $30 Million Funding Round, Wall Street Journal (Sept. 9, 2013)).
So, let’s take a look at CrowdStrike’s new security business model. CrowdStrike uses big data and “crowdsourcing” analytics to identify and map cyber-criminal behavior within a corporate network. It then purges the intruders from a corporate network before a compromise occurs. The system becomes “smarter” each time it sees how hackers break in to steal information. See USAToday, Crowdsourcing, data mining help stop hackers. To complement these new advanced software tools, CrowdStrike also focuses on the human aspect. Its investigative team, which is trained to collect, investigate and decipher data on threatening groups and corporate security risks, includes a former cybersecurity official from the F.B.I., as well as many others from the defense, intelligence and law enforcement communities. The investigators and forensic experts give businesses the ability to track and hunt those cyber-villains on the network, and to understand why and how the threats occurred.
Other security business firms have been busy increasing their cybersecurity platforms as well. Cisco recently purchased Cognitive Security, a security firm that uses artificial intelligence techniques to detect cyberthreats, and Sourcefire, a leader in intelligent cybersecurity systems. According to recent news releases, Cisco, with these acquisitions, hopes to accelerate its “security strategy of defending, discovering, and remediating the most critical security threats across the attack continuum.”
It certainly appears that these new security platforms are trying to help businesses be proactive with their security protection and detection – that is, to discover a threat before it is too late. What is the old saying – it takes a whole village to raise a child? Well, in today’s hyper-competitive and global marketplace you might need a whole team of highly skilled investigators and forensic experts to safeguard corporate data. However, businesses still need to recognize that their own employees play a big role in security of the company’s data. Businesses should consider looking to external resources, such as these new security platforms. However, they should also be looking at their own internal policies, procedures, training and best security practices to insure they are meeting the quickly changing world of data security and protection.
As the world evolves at a supersonic pace, businesses might need to rethink the importance of their security efforts. As these new business ventures demonstrate, cybersecurity is becoming a critical and necessary function to remain globally competitive. From state-sponsored cyberterrorism and theft to corporate infiltration and espionage, the disappearance of a business’ competitive advantage might be one stolen secret away.
Have you invested in these new security platforms, or are you aware of others that might be of interest to our readers? As always, we would love to hear from you.
With all the news lately regarding the NSA’s surveillance program, it is not surprising that people are concerned, and even a little apprehensive, regarding what information others can view on their personal electronic devices. With the recent surge of BYOD, the clash between personal and corporate data is even more apparent. But what can an employer really view on an employee’s BYOD smartphone or tablet? And when it comes to the use of personal devices, do employees trust their employers?
Recently, MobileIron, a mobile device management software developer, conducted a survey (MobileIron Trust Gap Survey) of 3000 workers across the United States, United Kingdom and Germany. Of those 3000 workers, 80% now use personal smartphones and tablets for work related functions. But only 30% surveyed “completely trust their employer to keep personal information private.” 41% of employees surveyed did not think their employer could see anything on their mobile devices – and 15% were not sure what the employer could see. “There’s a ton of confusion out there, and so the trust gap has widened. Employees don’t really know what their employer can and can’t see.” Ojas Rege, vice president of strategy at MobileIron, told CIO.com, What Can Employers Really See on a BYOD Smartphone or Tablet. “They’re just guessing.”
With a well-crafted BYOD policy, however, an employee should not be surprised about what an employer can see on a personal device. Notice is important, so you might consider telling employees what information the organization needs to see and why. By way of example:
- Apps: An employer has a stake in regulating what applications an employee can use on their personal devices for security purposes (e.g. protecting against outside access to client information, and to prevent the loss of proprietary information.)
- Litigation or Pre-Litigation: In the event of litigation or pre-trial investigation personal devices may be subject to search and review for evidentiary reasons. A BYOD personal device becomes just like any other evidentiary tool that may contain relevant information.
- Corporate Information. Regardless of what an employee may think, all corporate information, whether generated through the use of personal or corporate devices, or personal emails and data, belongs to the employer. The device may not belong to the company, but the information certainly does. Employees ought to understand this before using their personal devices for work purposes.
When looking at BYOD, employers should also consider what information employees don’t want them to see. The survey illustrated the type of personal information and activities most workers were concerned about – personal emails, text messages, photos, videos, voicemails and Web activities. Not surprisingly, younger employees, ages 18-34, were far more concerned about personal privacy than workers over the age of 55. Depending on how the organization manages their mobile devices – it may or may not have access to this kind of information. To make an informed decision about using a personal device, employees should know whether this information will be accessible to and/or monitored by the employer.
The survey certainly demonstrated there is a “trust gap” with employee use of personal devices for work purposes. So how should an employer bridge the trust gap? Unfortunately, the survey really demonstrated that no matter what a company does, whether it places employees on notice of all monitoring activity in writing, asks an employee permission to review a personal device or explains in written detail the purpose behind the surveillance, only 30% of workers believed these measures would increase their level of trust. Roughly 30% of the respondents stated that there was nothing an employer could do to increase their level of trust in the company.
Yet, a complete BYOD policy that spells out what information is needed and why should give an employee some measure of comfort in knowing the circumstances around which a personal device may be investigated or monitored. Armed with that information, the employee can then decide whether they want to use their personal device for work purposes. From the company perspective, a solid and tailored BYOD policy might dispel some of the negativity surrounding monitoring activity on corporate and/or BYOD personal devices.
Has your organization run into concerns over access to information on personal devices? If so, what actions have you taken to bridge that “trust gap”?
We have written on a few occasions about how courts have viewed discoverability of social media posts and what might be a reasonable request for information contained on a social media site (see e.g. Can the Court Force You to Turn Over Your Facebook Account? The Short Answer. Yes). The Federal District Court, Northern District of Georgia, recently issued an interesting decision on this issue and it is worth a deeper dive.
Jewell v. Aaron’s, Inc., Case 1:12-cv-00563-AT (N. Dist. Ga, July 19, 2013), is a class action lawsuit involving claims that the defendant failed to provide breaks to its employees. The defendant requested social media posts from the opt-in plaintiffs, and the plaintiffs had refused to produce them. The request was laid out as follows:
Request for Production No. 4: All documents, statements, or any activity available that you posted on any internet Web site or Web page, including, but not limited to, Facebook, MySpace, Linkedln, Twitter, or a blog from 2009 to the present during your working hours at an Aaron’s store.
The defendant made the Request because it had received an anonymous tip that the named Plaintiff often made posts on Facebook during work hours. The discovery request was designed to find out whether and/or how many of the sample opt-in plaintiffs engaged in similar conduct.
The defendant provided the following rationale for its request:
[g]iven the prevalence of social media today and the ability to post on personal social media accounts and blogs from personal smart phones, it is likely that many of the opt-in plaintiffs have made posts … Some of the posts may directly show that the poster was taking a lunch break at the time. The date and time stamp of other posts may indicate that the poster spent a chunk of 30 minutes or more during the work day engaged in a series of successive personal posts such that there is a 30 minute period of that opt-in plaintiff’s work day that, regardless of whether the opt-in plaintiff actually ate a meal, is appropriately excluded from the compensable time of that opt-in plaintiff.
This seems like a fairly tailored request. It also appears that the defendant articulated a reasonable rationale for seeking the information given the known use of social media by employees during the work day. The plaintiffs, however, argued the Request was overly burdensome and that it would take 1,323 hours to 26,462 hours to locate and produce the information from the 87 opt-in Plaintiffs’ social media sites.
On review, the Court attempted to verify the accuracy of Plaintiffs’ assertions that it would take so much time and discovered a Facebook feature which permits users to “download Facebook data, including “timeline” information, “wall” postings, activity log, messages, and photographs” directly from Facebook. Following the download, the user can view all posts/activity in a single document in chronological order with a date/time stamp.
Seems like a pretty simply process – but the Court disagreed and refused to compel production of the social media posts. Given the Court’s analysis about the ability to download data from Facebook, I decided to investigate a little further myself to see how easy or difficult this process might be. I accessed my Facebook account, found the link to “download” my data and obtain an archive of my information. I started and completed the process in less than three minutes. Facebook is archiving my data as I write. As a result, I have to question Plaintiffs’ counsel’s assertions that it would take between 1,323 hours and 26,462 hours to download, review and produce the Facebook posts from only 87 people. I admit, however, that I have yet to receive an email notification that my archived data is available – so we will see.
That said, this Facebook feature should make it easier for litigants to gather and produce relevant information from Facebook, and might also decrease discovery costs – should other courts take a different view about the relevance of the data, and the ease with which the data can be collected. I can certainly see this issue coming up in employment litigation on a fairly regular basis, so we will keep our eyes open for other decisions on these issues.
Have you had an experience with production of social media posts? If so, we welcome your input!
In a recent post, Should Healthcare Professionals Sue to Protect Their Online Reputations?, we discussed several cases where physicians have sued over posts made in an online forum. Legal challenges to negative reviews have had mixed results. Remember David McKee, M.D. – one of the doctors we discussed in our last post who sued a patient’s son over his online posts. The negative online reviews were posted in the spring of 2010, but the Minnesota Supreme Court did not rule until January 2013 that the statements were not defamatory, and thus, his claims had been properly dismissed.
So – what other options are there? Some suggest that health care professionals should embrace online reviews. The Center for Quality of Care Research in 2010 conducted a survey of 33 physician-rating websites which rated 81 physicians. Of the 190 reviews surveyed, 88% were positive, 6% negative and 6% were neutral. Similarly, Tom Seery of Realself.com, an online review and comment board for cosmetic treatments, found that 90% of the patient reviews on Realself.com were positive, with a small mix of negative reviews and a smaller number of mixed reviews. Dr. Steve Feldman, a practicing dermatologist, professor of dermatology, pathology and public health sciences at Wake Forest University, and founder of a doctor rating site, Drscore.com, could not agree more. Dr. Feldman told Physicianspractice.com, Do Online Ratings Matter?, “[t]hese Web sites are actually one of the best things ever to happen to American Medicine.” Dr. Feldman believes medical rating sites give satisfied patients an avenue to describe in positive terms the care and treatment they received. Indeed, the median score of a doctor with 20 or more reviews on Drscore.com is 9.3 out of 10. “Patients love their doctors,” says Dr. Feldman. “It’s amazing how good doctors are in the United States and no one knows it.”
I would agree with Dr. Feldman that social media provides patients the ability to praise their doctors, and that the praise might help boost their physician’s practice. But what about the nearly 10 % of negative reviews – can and should a doctor respond in an online forum? Physicians should first look at the content of many of those negative reviews. According to doctoredreveiws.com, How to Respond, the most common patient complaints relate to the physician’s business practices, such as parking, wait times and staff attitude. This is information that many practices would welcome and take steps to correct! This kind of review may also provide the practice the opportunity to respond and let the reading public know that the practice will listen to patient complaints and take affirmative action to improve the quality of the patient’s experience.
That said, it is usually the online posts about direct patient care that causes concern among health care providers. Yet, in those instances where the negative criticism relates directly to patient care, and thus, implicates a patient’s privacy, the health care professional must step back to determine whether an online response is necessary and appropriate, or perhaps whether reaching out to the patient is the best bet. While the online site may require the reviewer to waive privacy constraints prior to posting the review, this might not insulate the physician. We recommend contacting legal counsel to insure that such a responsive post would not violate either state or federal patient privacy laws. If a negative review persists, the clinic or doctor might try contacting the patient directly - asking about how the concern can be remedied and ultimately whether the patient will take the negative review down. A final option might be to contact the review site. The review site might refuse to take the post down, but if the information is clearly false, inflammatory or appears to be for the purpose of harassment, the review site might respond to a plea to remove the post (although they don’t have to do so).
So can a health care professional take charge of his/her online presence? Dr. Kevin Pho, a New Hampshire internist and writer of a physician-focused blog on health and social media called KevinMD.com, believes legal action is the wrong approach in curbing negative online reviews. “In general, I can’t think of a time where a lawsuit would be tremendously effective. The negative publicity and the fallout from the lawsuit is far worse than the initial issue,” Dr. Pho reported to American Medical News, Doctors’ legal remedies can defeat online attacks. “It’s a better idea to take charge of your online presence.”
For instance, Dr. Pho believes physicians should join social networking sites, such as Facebook, LinkedIn, and also participate in community health boards, blogs and chat rooms. According to Dr. Pho, a physician’s online efforts will show-up first during a Google search of his/her name, thereby pushing any negative reviews down the list. This is certainly how many industries increase social media presence, so it seems reasonable for health care professionals to do so as well. Although I would add a caution that health care professionals should exercise extreme care when interacting with patients in an online setting (think patient privacy).
So what is the right answer? In the end the best bet may be to do nothing – at least as it relates to online criticism. As I advise clients in other industries – get a thick skin and don’t respond to criticism unless really necessary. If a response is appropriate, consider reaching out to the patient directly. Perhaps this is a little old-fashioned, but direct communication can resolve disputes better than online barbs. Finally, if you are a health care professional, take an active role in your online reputation to increase the number of positive “hits” the public might find about you or your practice. If any of you have other ideas for health care professionals, please contribute your thoughts.
In a past post, Internet Defamation Claims on the Rise as Online Reviews Impact the Bottom Line, we discussed web-based rating services and the rise of internet defamation claims. Internet reviews are rampant in the healthcare industry, and medical professionals are often the subject of online reviews as patients share positive and negative feedback about care and treatment. Some individuals are permitted to respond to online criticism, however, medical professionals may be constrained by ethical obligations and federal privacy laws to not reveal patient information. So what can or should a doctor do – sue for defamation, ignore social media altogether, or actively manage their online reputation? I guess that depending upon the circumstance – it may be one or all three practices. We will be discussing these options in the next few posts.
As to whether to take legal action, the Minnesota Supreme Court has weighed in on one such internet defamation case by a physician against a patient’s son. In David McKee, M.D., vs. Dennis Laurion, the Supreme Court concluded that none of the statements posted online by the patient’s son, Laurion, regarding Dr. McKee’s care amounted to defamation. The court dismissed the defamation lawsuit – that is Dr. McKee gained nothing from bringing the legal action. So what were the allegedly defamatory statements?
Following Dr. McKee’s examination of his father, Dennis Laurion posted the following statements on various “rate-your-doctor” websites:
1. Dr. McKee said he had to “spend time finding out if you [Kenneth Laurion] were transferred or died.”
2. Dr.McKee said, “44% of hemorrhagic strokes die within 30 days. I guess this is the better option.”
3. Dr. McKee said, “Therapist? You [Kenneth Laurion] don’t need therapy.”
4. Dr. McKee said, “[I]t doesn’t matter” that the patient’s gown did not cover his backside.
5. Dr. McKee strode out of the room without talking to the patient’s family.
6. A nurse, not affiliated with the examination of Kenneth Laurion, told Dennis Laurion that Dr. McKee was a “real tool.”
In Statements 1, 2 and 4, the Supreme Court held the statements were essentially true – that is, they were so close to what Dr. McKee admitted he said that any “minor inaccuracies” could not satisfy the falsity element of defamation. Truth is a defense to defamation.
In Statements 3 and 5, the Court found that nothing published by Dennis Laurion actually lowered Dr. McKee’s reputation in the community. The statements were, therefore, harmless and not capable of conveying any defamatory meaning. Finally, with respect to Statement 6, whether Dr. McKee is a “real tool”, the Supreme Court concluded this statement, whether by Laurion or someone else, amounted to an opinion – a statement that cannot be reasonably interpreted as stating a fact, or a statement that cannot be proved true or false (also a defense to a defamation claim). The Minnesota Supreme Court referred to the “real tool” statement as mere name calling with no real intent to defame anyone.
In other jurisdictions, it has been a mixed bag of success for internet defamation claims. An Arizona cosmetic surgeon won a $12 million internet defamation suit against a former disgruntled patient. As a result of the three year legal battle, Dr. Albert Carlotti III, suffered deteriorating health, lost hundreds of patients from his practice, and was forced to sell his home. “I was dealing with somebody who had the intent on destroying us professionally, personally and on every level.” Dr. Carlotti told American Medical News, Doctors win redress in online defamation suits. “I went from a very successful surgeon to pretty much out of business.” The disgruntled patient created her own website and claimed Dr. Carlotti was not board-certified and under state investigation. The patient also obtained the telephone numbers for the doctor’s patients, called them, and asserted the same allegations. Records, however, revealed that Dr. Carlotti had received no disciplinary action and was certified by the American Board of Oral and Maxillofacial Surgery.
When talking to American Medical News, Dr. Carlotti’s attorney applauded the verdict noting “[a] lot of physicians and professionals feel constrained by their professional obligation to keep quiet. This gives them hope that there is a change in attitude over what will be protected by the First Amendment.” Dr. Carlotti could not agree more – “It’s amazing what one person with some basic computer skills can do.” “As I stand here in the ashes of my victory, the focus is on how I rebuild and how low is it going to take?”
Bottom line – whether a defamation claim is successful or not, there is no question that online reviews can impact how the public views the care provided by medical professionals. We will evaluate other options for healthcare professionals when responding to negative reviews in the next post.
If an individual medical professional or a medical clinic is unsure whether an online review amounts to defamation, seeking legal guidance can help. What are your thoughts? Should there be limits to what a patient can post online? As always, we welcome your input.
Many companies have increased their attention to prevention of theft of trade secrets, as well as the prevention of many other kinds of data loss these days. Indeed, in February 2013, the White House released its Strategy for combating the theft of trade secrets in the United States. Kicking off the report, President Obama stated:
“We are going to aggressively protect our intellectual property. Our single greatest asset is the innovation and the ingenuity and creativity of the American people. It is essential to our prosperity and it will only become more so in this century.”
Part of the Administration’s strategy focused on enhancing domestic law enforcement’s ability to combat theft of trade secrets and improving domestic legislation, such as the Economic Espionage Act of 1996, 18 U.S.C. §§1831-1839. (For a good discussion of the Administration’s Strategy report, see my colleague Emily Duke’s article, Administration Releases Strategy to Prevent Theft of U.S. Trade Secrets).
Most companies who depend upon the ability to protect their trade secrets to maintain a competitive edge in the market are watching closely to see what happens now. A Criminal Complaint issued on June 4, 2013, in the United States District Court, for the District of New Jersey, against a former employee of Becton, Dickinson & Company (“BD”) certainly demonstrates that law enforcement is taking theft of trade secrets seriously.
In United States of America v. Ketankumar Maniar, the government alleges that Maniar (the former BD employee) had access to BD’s trade secret information and that while still employed took actions to steal that trade secret information. The Complaint further alleges that Maniar took the information in many different ways including, downloading close to 8,000 BD files containing BD trade secret information to multiple external hard drives and thumb drives and emailing BD trade secret information to his personal email account. Apparently, there is evidence that Maniar was planning to take the BD trade secret information with him to India – although that action has been thwarted by his arrest.
In addition to the former employee’s actions relating to how he took information, what might also be of interest to our readers is the focus by the government on the steps BD had taken to protect its trade secret information. The government focused on the following:
- BD had a Code of Conduct that addressed protection of trade secret information which Maniar had signed off on and acknowledged was a condition of his employment with BD.
- BD required that Maniar sign an Employee Agreement which acknowledged his obligation to protect trade secret information.
- BD maintained a Trade Secret Protection Policy that was incorporated into the Employee Agreement.
- BD maintained physical and electronic security of its trade secret information, including, with limited or restricted access to certain information.
- BD conducted training to remind employees of their responsibilities to protect trade secret information.
This case serves as a reminder that taking affirmative steps to protect trade secret assets will provide a greater opportunity in either a civil or criminal context to obtain relief from the legal system. It also serves as a reminder that companies should be mindful that some employees will disregard their obligations to the company and take information to benefit themselves or others. We have been advising clients, as well as writing, about this for years (See e.g. Recent Survey Shows That Employee Theft of Confidential Information is Rampant). Technology certainly makes it easier for employees to walk out the door with confidential information. When in doubt about what to do – contact your legal counsel, or one of the lawyers in our Trade Secret group.
In the meantime, we will keep on eye on what is happening. As always, we welcome your input.
(*Monopoly is a trademark of Hasbro)
Teresa is the Chair of Fredrikson’s Non-Competes and Trade Secrets Group, and an MSBA Certified Labor and Employment Law Specialist. She counsels business clients on risk management and policy development relating to employee use of technology, and also litigates their business and employment disputes. Teresa trains, writes and lectures extensively on legal issues arising from business use of technology and social media.