With "Friends Like These . . .

Thanks so much to my friend and colleague, Ann Holden Kendell, for contributing this blog post!  

I asked Megan if I could write a guest blog post regarding a recent case from the U.S. District Court for the District of New Jersey.  This case involves the firing of an employee after her Facebook "friend" and co-worker shared her non-public entries with their mutual employer.  Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-03305 (WJM) (D.N.J. Aug 20, 2013).

Why did I want to do this?  In addition to being interested in this case as an employment lawyer and voyeur (this employee had a long disciplinary record and her brother ended up representing her when her original attorney withdrew), I was struck by how Megan could have written this opinion herself.  I have given many speeches to clients and organizations with Megan and have heard her social media presentations. 

Her guidance matches with the takeaways from this case.  In addition to other laws and invasion of privacy issues, the Federal Stored Communications Act (“SCA”) will apply to non-public Facebook posts. However, people with authorized access – i.e., a Facebook friend – may access the information.  In short, Deborah Ehling’s Facebook friend properly had access to her private posts.  He independently chose to pass that information on to their mutual employer.  This was another important piece of the case:  the evidence showed the employer did not force or coerce this "friend" to provide the information; the shared communication was unsolicited.  The court explained:

...the evidence shows that Defendants were the passive recipients of information that they did not seek out or ask for. Plaintiff voluntarily gave information to her Facebook friend, and her Facebook friend voluntarily gave that information to someone else.

In light of how this all “went down,” the court found that the employer did not violate any statutory or tort law in terminating Ms. Ehling, and it dismissed her lawsuit.

Does this mean employers can do whatever they want?  Simply put, no.  The facts of this case worked out for the employer, but the facts of most cases are often moving targets and not fully known until the witness is under oath.  If this “friend” had indicated there had been some pressure (maybe even just a request) to turn over the Facebook posts, this likely would have turned out very differently.  Or, imagine if the “friend” suddenly received a raise or promotion after turning over the information…this would have looked shady and could have affected the outcome.    

Employers still need to use caution when using Facebook information in employment decisions. True, it's important to determine whether the information found is appropriate for use in an employment decision. But even before we get to that question, employers should pause to consider how it obtained the information. For example, were any underhanded means were used (such as deceit, coercion, etc.)? Was the information requested in good faith, but still in a manner that could suggest another person felt pressure to turn it over? Was it completely unsolicited, as it was in this case? These kinds of questions should guide an employer's analysis. At least that's what Megan tells people, and Judge Martini agreed.

US Supreme Court Issues Opinion in Quon Sexting Case

The United States Supreme Court ruled today that a public employer’s search of sexually explicit text messages on a police officer’s employer-issued pager did not constitute an illegal invasion of privacy.  The Court overturned the Ninth Circuit, which had determined the employee had a reasonable expectation of privacy in his text messages and that the city’s search was not reasonable.

The city argued its employees had no reasonable expectation of privacy in communications made on employer-provided devices.  The Court explained:

The record does establish that OPD, at the outset, made it clear that pager messages were not considered private. The City’s Computer Policy stated that “[u]sers should have no expectation of privacy or confidentiality when using” City computers. . . . Chief Scharf’s memo and Duke’s statements made clear that this official policy extended to text messaging.

The disagreement over the expectation of privacy question arose as a result of later communications by the officer responsible for the city's contract with Arch Wireless, and whether these later representations overrode the city's official policy.  The Court, however, avoided deciding that question -- resting its decision on narrower grounds.  The Court advised, "Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices." 

The Court acknowledged that "[r]apid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior" and concluded that "[a]t present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve."  The Court said a broad holding on the question of employee privacy expectations vis-à-vis employer-provided equipment may well have implications for future cases that can't be predicted.  The Court essentially moved on to simply assume without deciding that even if Quon had a reasonable expectation of privacy in his text messages, the city did not violate the Fourth Amendment by obtaining and reviewing the transcripts in this case.

Stay tuned for further analysis and comment on this important case!  More posts on this case will come after I've had more time to review the details more closely.

School Faces Class Action Lawsuit for Secretly Spying on Kids at Home Via Remote-Controlled Webcams

Let's say a school administrator crawled into your kid's backpack to sneak into your home. 

Creepy McCreeperson?  A Pennsylvania family sure thought so when they experienced the functional equivalent.

The Robbins family filed a federal class action lawsuit against a school district after learning the district used a webcam in a school-issued laptop to secretly spy on their 15-year-old son when he was at home. They've sued for invasion of privacy under state law, violation of the Pennsylvania Wiretapping and Electronic Surveillance Act, and violations of the federal Electronic Communications Privacy Act, Computer Fraud Abuse Act, Stored Communications Act, and the Fourth Amendment.

According to the complaint (which Philly.com posted online), the school surreptitiously spied on students by remotely activating the webcams installed on the laptops the Lower Merion School District issued to them.

The family learned about the remote spying in November of 2009, when an assistant prinicipal told their son, Blake, that she believed he “was engaged in improper behavior in his home, and cited as evidence a photograph from the Webcam embedded in [his] personal laptop issued by the School District.”

The school posted a response on its website, essentially admitting the laptops' webcams can be remotely activated, but saying it was meant to be used for security purposes -- to track down a lost or stolen piece of equipment.

(Thanks to Bret D. for the tip on this story!)

Employer Liability for Accessing Employee's MySpace Group, Part Deux

In yesterday's post on Pietrylo v. Hillstone Restaurant Group, I blogged about an employer that found itself in hot water for accessing an employee's "by invitation only" MySpace group (called the Spectator) by using another employee's login information.  The jury found the restaurant liable under the Stored Communications Act (also known as Title II of the Electronic Communications Privacy Act of 1986).  The plaintiffs in that case also pursued a common law invasion of privacy claim.  Although the plaintiffs lost on that count, there's an important jury finding worth pointing out.

On the invasion of privacy claim ("intrusion upon seclusion"), the jury instructions asked, "Was the Spectator a place of solitude and seclusion which was designed to protect the Plaintiffs' private affairs and concerns?"  To this, the jury responded, "yes."

The instructions went on to ask, "Did the Plaintiffs have a reasonable expectation of privacy in the Spectator?"  Here, the jury answered "no," which left the plaintiffs without a claim.  (The jury didn't go on to determine whether a reasonable person would find it highly offensive, the next element to prove the claim).

This seems a bit curious -- as the two answers appear to be mutually exclusive.  In other jurisdictions, an affirmative answer to the first question would necessarily mean the plaintiffs had a reasonable expectation of privacy in the "thing" intruded.  An invasion of privacy claim for intrusion upon seclusion in Iowa, for example, just has two elements:  (1) an intentional intrusion upon the solitude or seclusion of another, (2) which a reasonable person would find highly offensive. 

However this verdict form might be analyzed, one thing is clear:  a jury may well find that "by invitation only" MySpace groups --as well as other online content with certain privacy controls -- can be a "place of solitude and seclusion" for purposes of an invasion of privacy claim.

Here's the relevant portion of the jury form:

Employer Liability for Accessing Employee's MySpace Group

A jury decided an employer violated the Stored Communications Act (“SCA”) and the parallel state statute when management used an employee’s login information to access the site, awarding compensatory and punitive damages.

According to court documents, two Houston’s restaurant employees, Brian Pietrylo and Doreen Marino, created a private MySpace group called the “Spectator” to (in Brian’s words) “vent about any BS” they dealt with at work. One of the invitees was restaurant greeter, Karen St. Jean. Management apparently caught wind of the web page, and asked Karen for her login information. She voluntarily turned it over to them, and the managers logged on to find all kinds of stuff they weren’t too pleased about:

 Talk of workplace violence (i.e., “The Navajo rug needs to be set on fire”),
 References to illicit drug use (i.e., “If you had to drop acid with one person in Houston[’]s, who would it be?”),
 Offensive name-calling and sexual remarks (i.e., “management dick suckers” and reference to a “rim job,” which apparently involves some kind of anal sex act),
 Disclosure of proprietary business information (i.e., entire wine test on a new wine list that was to be given to the staff)
 Sarcastic and derogatory comments about the quality and standards of Houston’s, as well as its management (i.e., “stupid corporate f---s”).

Houston’s fired Brian and Doreen, and they sued. The jury returned a verdict in favor of Brian and Doreen on their SCA claims, finding that through its managers, Houston’s had knowingly or intentionally accessed the Spectator without authorization.

Following the jury verdict, Houston’s moved for judgment as a matter of law, or alternatively, a new trial. On September 25, 2009, the US District Court for the District of New Jersey issued its opinion denying the motion.

The court said that although Karen voluntarily handed over her login information to them, she testified she would not have turned over her password to any non-managers who asked for it, and she worried she “probably would have gotten in trouble” if she hadn’t complied. Thus, according to the court, a reasonable jury could have decided her purported “authorization” was coerced or pressured. Further, the managers accessed the site on multiple occasions, despite the fact is was clear on the group page that it was meant to be private and accessed only by members. Heck, the way they went about accessing the password-protected MySpace group also suggested they knew they weren’t authorized. Despite the restaurant’s claimed belief its managers pursued access to the Spectator for legitimate business reasons, the jury didn’t believe the way Houston’s tried to protect those interests was proper.

This case reminds employers there are risks in attempting to access employee’s online content – particularly when that access might be considered “unauthorized.” Employers generally should avoid using false information or someone else’s login and password to gain access to any web sites.