navigating workplace privacy issues - seyfarth shaw...citrix gotomeeting, google apps) –platform...
Post on 21-Jun-2020
5 Views
Preview:
TRANSCRIPT
Seyfarth Shaw LLP “Seyfarth Shaw” refers to Seyfarth Shaw LLP (an Illinois limited liability partnership). Seyfarth Shaw LLP
Navigating
Workplace
Privacy Issues
November 2, 2016
Karla Grossenbacher
Stacey Blecher
Meredith-Anne Berger
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential
Selyn Hong
Elizabeth Levy
Ari Hersher
Presenters
Karla Grossenbacher
Partner | Washington, D.C.
(202) 828-3556
kgrossenbacher@seyfarth.com
Stacey Blecher
Counsel | New York
(212) 218-5530
sblecher@seyfarth.com
Meredith-Anne Berger
Associate | New York
(212) 218-3336
mberger@seyfarth.com
Selyn Hong
Associate | San Francisco
(415) 732-1149
shong@seyfarth.com
Elizabeth Levy
Associate | Los Angeles (Century City)
(310) 201-1565
elevy@seyfarth.com
Ari Hersher
Partner | San Francisco
(415) 544-1063
ahersher@seyfarth.com
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 2
Monitoring Electronic Workplace
Communications
Best Practices to Avoid Privacy Issues
in BYOD Programs
Issues in Cloud Computing for
Employers
NLRB Social Media
Social Media Privacy & Use in Litigation
Agenda
3
5
4
2
1
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 3
Monitoring Electronic
Workplace Communications
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 4
Applicable Law
• State and federal statutes prohibiting unauthorized access
or monitoring of electronic communications
• Common law Invasion of Privacy
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 5
Applicable Law
• Stored Communications Act
• SCA makes it illegal to access without authorization a
facility through which electronic communication service is
provided and thereby obtain access to communications in
electronic storage
• Exception for person or entity providing the electronic
communication service
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 6
Invasion of Privacy
• Restatement of the Law, Second, Torts
• One who intentionally intrudes, physically or otherwise,
upon the solitude or seclusion of another or his private
affairs or concerns, is subject to liability to the other for
invasion of his privacy, if the intrusion would be highly
offensive to a reasonable person.
• “Intrusion” presuppose lack of authorization or consent
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 7
Case Studies
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 8
Pure Power Boot Camp v. Warrior Fitness Boot Camp (S.D.N.Y. 2008)
• employees leave in order to set up competing business
• While employed, access his Hotmail account from
company computer
• Employee stored user name and password on computer
• Employer read emails in Hotmail
account to determine if employee had
engagement in malfeasance
– accesses other accounts
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 9
Pure Power Boot Camp v. Warrior Fitness Boot Camp
• Employee alleges violation of SCA
• Employer argues
– policy put employees on notice emails could be
reviewed
– implicit authorization because of stored password
credentials
• SCA violation found
– Policy did not have appropriate language
– House keys analogy
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential
10
Lazette v. Kulmatycki (N.D. Ohio 2013)
• Employee terminated
• Turned in company-issued BlackBerry without deleting
Gmail account and employer reviewed emails
• Employer read emails and argued implicit authorization
and no affirmative act to acquire emails
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 11
Lazette v. Kulmatycki
• Employee alleged both SCA violation and invasion of
privacy
• SCA violation found
– negligence does not equal approval
• Invasion of Privacy
– can’t consider handbook on motion to dismiss
– emails were highly personal
– other considerations: why did he access them? when did she
know?
- ©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 12
Sunbelt Rentals v. Victor (N.D. Ca. 2014)
• Employee leaves company
• Returned company issued iPhone and iPad and forgot to
de-link Apple account and text messages continued to
come to phone
• Employer reviews texts because of concerns over
misappropriation of trade secrets
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 13
Sunbelt Rentals v. Victor
• Employee alleges SCA violation and Invasion of Privacy
• No SCA violation
– Texts are not communications that are in electronic storage
• No Invasion of Privacy –
– No expectation of privacy in company-issued phone no longer in his
possession
– No expectation of privacy in general for texts (and no evidence
regarding contents of texts)
– He did not take appropriate steps to protect his texts (i.e., delinking
his Apple account before returning the device)
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 14
Maremont v. Susan Freedman Design (N.D. Ill. 2014)
• Marketing Director uses personal social media accounts to market
employer
• Sets up Facebook page for employer (uses personal account to
administer)
– makes spreadsheet with passwords
• Marketing Director gets in accident – absent from work
• Employer accesses accounts while employee is absent
– uses both personal and employer accounts
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 15
Maremont v. Susan Freedman Design
• Files suit under SCA
• Disputed fact as to whether or not employer exceeded
authorization
• No actual damages needed to sue under SCA and get attorneys
fees and punitive damages!
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 16
Takeaways from Case Law To Date
• Whether statutory or common law causes of action – consent is
key
• Negligence does not equal consent
• Texts appear to be less protected than emails
• Think twice about who sets up employer social media accounts
and have clear understanding up front about access and rights
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 17
Best Practices in BYOD
Programs
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 18
What is “BYOD”?
• Policy of permitting employees to bring and use personally
owned mobile devices in the workplace
• Allows employees to use their own devices to access
company information and applications
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 19
No. 1 Reserve the Right to Monitor
The company’s policy should clearly state that it reserves the
right to access, monitor, and delete its proprietary and
confidential information from employee-owned devices in the
policy.
Employees should sign the policy to establish consent
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 20
No. 2 Reserve Right to Take Physical Custody of the Device
Employer may temporarily take physical possession of
device to access and collect information for legitimate
business purposes (e.g. workplace investigation, litigation,
etc. )
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 21
No. 3 Encryption is Key
Encrypt company data and implement security patches for
trouble spots, such as unsecured WiFi, phishing scams, and
downloaded malware.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 22
No. 4 Have An Information Security Policy and Train On It
Implement data security protocol to avoid the loss or breach
of employer and/or employee data.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 23
No. 5 Don't Forget the Remote Wipe Feature
Enable a remote-wipe feature to erase employer data for
departing employees lost or stolen devices
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 24
No. 6 If BYOD Is Abused, CFAA Can Be Considered
Computer Fraud and Abuse Act provides private right of
action for various cyber crimes
Only to be used where damages have been suffered as a
result of violation
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 25
Cloud Computing For Employers
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 26
Overview of Cloud Computing
• Cloud services like Dropbox, Google Drive, Apple iCloud
and Yahoo Mail allow employers to store and access data
on the internet
• Cloud services can be public or private and include:
– More common subscription based Software as Service (e.g.,
Citrix GoToMeeting, Google Apps)
– Platform as a Service
– Infrastructure as a Service (e.g., Amazon Web Services)
• 81% of U.S. businesses with 100 or more employees
use cloud computing.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 27
vs.
Pros and Cons of Employers Using Cloud Computing
PROS
– Data is accessible anywhere there is an internet connection
– Allows for increased collaboration and flexibility
– Because vast amounts of data are available, can provide affordable redundancy and backup storage
– May be able to allocate IT responsibilities to vendors
CONS
– Data is accessible anywhere
there is an internet connection
– May open the door for off-the-
clock claims
– Because vast amounts of data
are available, may provide an
easy avenue for employees to
take vast quantities of
proprietary information very
quickly
– May become reliant on vendors
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 28
Privacy Considerations in the Cloud
• Availability and access to data on the cloud can
facilitate data breaches.
– General analog protections should be implemented:
employee training
selective access
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 29
Privacy Considerations in the Cloud
• Cloud-specific protections should be implemented
– vet your provider and implement protective terms of service
(this can come into play if the cloud provider is subpoenaed)
– encryption
– monitor downloads
– monitor access/allow for forensic analysis when needed
– confidentiality agreements
– implement policies that prohibit unauthorized storage
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 30
HIPAA Privacy Issues in the Cloud
• HIPAA requires protection of protected health
information (“PHI”)
• HIPAA applies to “business associates”- i.e. a person or
entity that creates, receives, maintains or transmits PHI in
fulfilling certain functions for a HIPAA covered entity
• Cloud service providers have been deemed to be
“business associates”
• Employers may be liable for their business associates,
which can result in fines
– Use business associate agreements
– Monitor data breaches ©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 31
Litigating in the Cloud
• Location of data may open the door to “doing business” in
another state or country
• Vendor contracts should include choice of law and choice of
forum clauses
• Vendors who move must provide sufficient notice
• Different countries have different standards
– European Data Protection Directive
prohibits transfer of private data across national borders without adequate
protections
For American companies to transfer data between the U.S. and E.U., they
must enter a Safe Harbor
• Litigation holds should apply to data stored in the cloud
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 32
NLRB Decisions on Employers’
Policies and Ability to Discipline
Employees Based on Social
Media Postings
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 33
National Labor Relations Act (NLRA)
• Section 7 of the NLRA states in relevant part:
– Employees shall have the right to self-organization, to form,
join, or assist labor organizations, to bargain collectively
through representatives of their own choosing, and to engage
in other concerted activities for the purpose of collective
bargaining or other mutual aid or protection, and shall also
have the right to refrain from any or all such activities.
• Section 8(a) of the NLRA states in relevant part:
– It shall be an unfair labor practice for an employer . . . to
interfere with, restrain, or coerce employees in the exercise of
the rights guaranteed in section 7.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 34
Protected Concerted Activity
Definition: Complaints about workplace issues that affect at
least two workers.
– The complaining employee does not need to be acting with the
authority of co-workers, as long as he or she is working to
initiate, induce or prepare for group action.
– The NLRA protects employees who engage in protected
concerted activity, even if they are not union members.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 35
Scope of NLRA Protection
• Must involve a term or condition of employment
• Broadly construed
• Protection extends beyond immediate employee-employer
relationship to acting with other employees to improve
employee interests in, for example, legislation or
demonstrations
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 36
Unprotected Activity
• Conduct directed toward co-workers or supervisors is
insubordinate or even threatening (Atlantic Steel).
• Appeal to third parties must make clear that comments
are in the context of a labor dispute (Jefferson).
– Appeals to third parties become unprotected when:
• Conduct is so disloyal, reckless, or maliciously untrue as to
lose the NLRA’s protection.
• Disparagement of the employer’s products or services may
justify loss of the NLRA’s protection
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 37
Protected “Concerted” Activity
• “Concerted”
– Actual concert by two or more employees
– Individual employee attempting to initiate or induce group
action, even when attempt is rebuffed
– Individual pursuing “logical outgrowth” of previously
expressed group concerns
– Individual disciplined to prevent employee protected
concerted activity (“preemptive strike”)
• Personal gripes not concerted
• Need expression of shared concerns, not just sympathy or
general dissatisfaction
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 38
• Cannot have blanket rules on discussing “employee information”
• Cannot require employees to only be respectful
• Cannot prohibit behavior that does not quite amount to insubordination
• Cannot require refraining from damaging company reputation or not acting in company’s best interest
• Cannot prohibit employees from disagreeing with each other, even with strong language
• Cannot prevent employees from speaking to the media on their own or other employees’ behalf
• Cannot prevent fair use of logos and trademarks
March 18, 2015 General Counsel Memo Addressing Employer Privacy Rules
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 39
The NLRA & Social Media
Two types of potential violations
1. Maintaining an overly broad rule that interferes with
employees’ rights to engage in concerted protected activity
2. Disciplining employees for engaging in concerted protected
activity on social media
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 40
Protected Social Media Activity
• An employee is protected under the NLRA when
discussing work conditions with other coworkers on social
media
– Complaining on social media about policies, managers, wages
– Sharing wage information on posts
– Expressing union support on posts or comments
• Examples of social media activity that could be protected
– Facebook posts
– “Likes” on Facebook or other social media
– Twitter discussions and retweets
– Blogging about work conditions
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 41
Decisions Regarding
Protected Social Media Posts
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 42
Karl Knauz Motors, Inc., 358 NLRB No. 164 (September 28, 2012)
• In the fall of 2012, the NLRB began to issue decisions in
cases involving discipline for social media postings.
• Karl Knauz Motors, Inc. was the first such decision.
– The NLRB found that the firing of a BMW salesman for photos
and comments posted to his Facebook page did not violate
federal labor law.
– The NLRB agreed with the ALJ that the salesman was fired
solely for the photos he posted of an embarrassing Land
Rover incident which did not involve fellow employees and
was not concerted activity, so was not protected.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 43
Hispanics United of Buffalo, Inc., 359 NLRB No. 37 (December 14, 2012)
• Since Karl Knauz Motors, Inc., a number of NLRB
decisions starting with Hispanics United of Buffalo, Inc.
have reached the opposite result.
– In Hispanics Unites of Buffalo, the NLRB found that it was
unlawful for a non-profit organization to fire five employees
who participated in Facebook postings about a coworker who
intended to complain to management about their work
performance.
– The Facebook comments and responses concerned working
conditions such as work load and staffing issues.
– The NLRB found that the Facebook conversation was
concerted activity and was protected by the NLRA.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 44
Triple Play v. NLRB (2d Cir. 2015)
• Two employees of sports bar criticized their employer on
Facebook.
– A former employee posted:
“Maybe someone should do the owners of Triple Play a favor
and buy it from them. They can’t even do the tax paperwork
correctly!!! Now I OWE them money . . . Wtf!!!!”
– A current employee “liked” the post.
– A second current employee added in response to a
subsequent comment by the initial poster accusing one of
Triple Play’s owners of criminal conduct:
“I owe too. Such an asshole.”
– The sports bar terminated both employees. ©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 45
Triple Play v. NLRB (2d Cir. 2015) cont’d
• In 2014, the NLRB found that the terminations were unlawful
because the employees were engaged in protected (work-
related) discussions under the NLRA.
• In 2015, the 2d Circuit affirmed the NLRB’s decision.
– Wages, including the tax treatment of earnings, are directly
related to the employment relationship.
– Employees were engaged in concerted activity:
Two other employees were involved in the Facebook
discussion.
Facebook discussion was part of a sequence of events, all of
which concerned the employees’ complaints about the tax
treatment of their earnings. ©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 46
Triple Play Takeaways
• Employers should consider consulting with experienced counsel before
terminating an employee for disparaging or defamatory speech when
that speech occurs in a group discussion about work on social media.
• Since a “like” can be protected conduct on its own, employers should
consider consulting with experienced counsel before disciplining
employees based on a “like” of a post about work.
• An employee’s use of obscenities in a social media post does not itself
suffice for the employee’s communications to lose NLRA protection.
• General policy language that establishes subjective standards (i.e.,
“inappropriate discussion”) raises a red flag unless accompanied by
specific examples making it clear to a reasonable employee that the
general language is not intended to encompass protected speech.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 47
Pier Sixty, LLC, 362 NLRB No. 59 (December 14, 2015)
• During a pending organization campaign, a manager and
an employee of a New York-based catering company
providing full-service event planning for private functions
got into a conflict.
– As the manager attempted to direct a group of employees at
an event, the employee claimed the manager told them to
“stop chit-chatting” and later used a harsh tone of voice,
ordering them to “spread out” and “move!”
– In response, the employee posted on Facebook:
“Bob is such a NASTY MOTHER F*CKER don’t know how to
talk to people!!!!!! F*ck his mother and his entire f*cking
family!!!! What a LOSER!!!! Vote for the UNION!!!!!!”
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 48
Pier Sixty, LLC, 362 NLRB No. 59 (December 14, 2015) cont’d
• The NLRB found in favor of the employee.
– The employee’s Facebook post was a protected exercise of
“concerted activity” rights; and
– The employee’s specific conduct was not sufficiently
egregious, serious or violent to lose its protected character
under NLRB precedent.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 49
Takeaways
• Before taking disciplinary action based on an employee’s
social media postings, consider:
– Does the employee’s complaint involve protected substance?
– Does the employee’s complaint involve concerted action or is
it just an individual gripe?
– Could the employee’s complaint evolve into concerted action
by other employees?
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 50
Decisions Regarding
Employee Handbook Policies
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 51
NLRB’s Two-Step Test for Assessing Social Media Policies
The NLRB implements a two-step test in determining
whether or not a social media policy violates employee rights
under the NLRA. (Costco v. Wholesale Corp.)
1. First, the inquiry focuses on whether the provision explicitly
restricts protected concerted activities.
If it does, it is invalid.
2. The second step comes into play if the provision does not
explicitly restrict the activity but:
(1) employees may reasonably construe the language to
prohibit protected concerted activity;(2) the rule was
promulgated in response to union activity; or (3) the rule was
applied to restrict the exercise of concerted activity.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 52
Karl Knauz Motors, Inc. 358 NLRB No. 164 (September 28, 2012)
The NLRB considered “Courtesy” rule in
dealership’s handbook…
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 53
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 54
Courtesy is the responsibility of every
employee. Everyone is expected to be
courteous, polite and friendly to our
customers, vendors and suppliers, as
well as to their fellow employees. No
one should be disrespectful or use
profanity or any other language which
injures the image or reputation of the
Company.
Karl Knauz Motors, Inc. 358 NLRB No. 164 (September 28, 2012) cont’d
• The NLRB found that this rule violated the NLRA because
“employees would reasonably construct its broad
prohibition against “disrespectful” conduct and “language
which injures the image or reputation of the Company” as
encompassing Section 7 activities.
– There was no rule which limited the application of the rule to
exclude Section 7 conduct.
– A reasonable employee would believe he would be punished
for engaging in Section 7 activity that violated the rule.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 55
U.S. Cosmetics Corp. (May 17, 2016)
• ALJ reviewed the social media policy of U.S. Cosmetics
Corp.
• The policy included the following provisions:
– “Under no circumstances may an employee . . . [p]ost financial,
confidential, sensitive or proprietary information about the Company,
clients, employees or applicants on social media. Additionally,
employees may not post obscenities, slurs or personal attacks that
can damage the reputation of the Company, clients, employees or
applicants . . .”
– Employees are prohibited from “using disparaging, abusive, profane
or offensive language; creating, viewing or displaying materials that
might adversely or negatively reflect upon USCC or be contrary to
USCC’s best interests . . .”
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 56
U.S. Cosmetics Corp. (May 17, 2016) cont’d
– “Employees may not post obscenities, slurs or personal attacks that
can damage the reputation of the company, clients, employees or
applicants.”
– “Under no circumstances may an employee . . . prematurely disclose
confidential and proprietary information to any unauthorized person.”
– “It is our policy that all information considered confidential will not be
disclosed to external parties or to employees without a ‘need to
know.’ If an employee questions whether certain information is
considered confidential, he/she should first check with his/her
immediate supervisor.”
– “Employees may not post financial, confidential, sensitive or
proprietary information about the company, clients, employees or
applicants.”
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 57
U.S. Cosmetics Corp. (May 17, 2016) cont’d
• The ALJ found that the policy was invalid.
– An employee could reasonably believe that posting statements
of protest or criticism would be damaging or would adversely
or negatively reflect upon the Company’s reputation.
– All of the provisions could be interpreted as encompassing
information about pay and other benefits
• The recent U.S. Cosmetics Corp. holding is similar to other
NLRB holdings over the past several years in that it
disfavors vague, overbroad language.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 58
Takeaways
• Review policies and revise those that may be vague or
overbroad.
– For example, review policies on confidential information,
blogging, internet or e-mail usage, external communications,
solicitation or postings, internal grievances, non-
disparagement, off-duty conduct, wage discussions.
• Even innocuous, conventional policies like anti-harassment
policies are subject to attack by the NLRB.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 59
Social Media Privacy
& Use in Litigation Practical Strategies for Employers
• Social Media Privacy Legislation
• Regulating Social Media in the Workplace
• Creating and Enforcing Social Media Policies
• Discovery Into Social Media
• Tips for Employers
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 60
– 1.4 Billion account holders
– 936 million daily active users
(avg. 20+ mins/day)
– 302 million users
– 500 million “tweets” per day
– 364 million members in over 200
countries and territories.
– More than 2 new members per second
• Snapchat
– 200 million users
– 700 million photos sent each day
– Avg. user spends 2x time on the Internet
Some Interesting Statistics
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 61
• Avoiding Data Theft & Trade Secret
Protection
– Social Media provides a means to obfuscate
data theft, allowing a perpetrator to leave with
information outside of the company’s firewall.
• Regulate the Workplace
– Social networks such as Facebook and Twitter
have means of private communication, which
may be used by employees.
• Litigation Avoidance & Defense
– Ensuring employees are not using social media
to engage in unprofessional behavior (e.g.
discrimination/harassment).
– Discovering information relevant to litigation and
workplace investigation.
• Public Relations
Why Access An Employee's Social Media Account?
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 62
Social Media Protection Under Federal Law
• No federal law prohibiting employers from requesting personal social media login information from applicants and employees.
• The Stored Communications Act prohibits employers from intentionally accessing such information “without authorization.”
• Courts have held employers accessing private websites in violation of SCA, but the SCA is only applicable where the employer gains access without authorization.
• Where an employee gives his/her employer personal login information upon request, the employer can argue that SCA does not apply because they were “authorized” to log onto the account.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 63
Which States Have Social Media Legislation?
1. Arkansas
2. California
3. Colorado
4. Connecticut
5. Delaware
6. Illinois
7. Louisiana
8. Maine
9. Maryland
10.Michigan
11.Montana
12.Nebraska
13.Nevada
14.New Hampshire
15.New Jersey
16.New Mexico
17.Oklahoma
18.Oregon
19.Rhode Island
20.Tennessee
21.Utah
22.Virginia
23.Washington
24.Wisconsin
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 64
What’s Prohibited and What are the Teeth
Federal Law: No access without employee authorization.
a) This includes where an employer gains access to the employee’s account through the
account of another person who can see the account (i.e. a coworker).
State Law: Rules Differ by State. However, most state laws require:
a) No asking, insisting on ‘personal’ account access;
b) No requesting username and password
c) No requiring the adding of employer reps to accounts
d) No ‘shoulder surfing’
e) No retaliation for invoking statutory rights or for an employee’s refusal to provide access
Consequences (vary from state to state)
a) Heavy states (i.e. Oregon): lawsuits, penalties, attorneys fees, reinstatement, back pay.
b) Light states (i.e. New Jersey): complaints to DOL, which may investigate and impose
nominal penalties.
c) California: fines up to $1,000 for first violation, up to $5000 for subsequent violations;
complaints to Dept. of Labor
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 65
What’s Permitted
• Mandatory access to ‘non-personal’ and/or ‘employer’
accounts
– Accounts opened at employer’s request
– Used for employer business
• Suspected workplace misconduct investigations
– Reasonable belief of misappropriation or data theft
– Co-worker harassment via SN account
• Employer device and systems monitoring
• Search for and use of publicly-available account info
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 66
Creating a Social Media Policy/Agreement
• Proper use
• Integrate existing policies – e.g., electronic equipment and systems
use, confidentiality, code of conduct, harassment
• No use during work hours or while using company provided equipment
• Only seek to regulate social media activity impacting the company
• No expectation of privacy in social media activities using company
equipment or systems
– Must follow the company’s conduct standards and its policies
Should not defame anyone or damage their reputation
No disclosure of confidential information
• Failure to abide by the guidelines may subject them to discipline as well
as legal action by the company or others
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 67
Additional Things to Consider in Creating a Social Media Policy
• State-specific law regarding employee social media
accounts and permissible scope of employer access
• Defining “personal” versus “non-personal” accounts (i.e.
accounts used for business purposes)
• BYOD policy
• Conflict of law analysis involving
interstate or telecommuting
employees.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 68
• What is a ‘Personal’ or ‘Employer’
Account?
– Some statutes try to define them,
some don’t
– Hybrid accounts – who owns them?
– ‘BYOD’ policies – another layer of
complexity
• Multi-state Employers – Conflicts
of Laws
• Discoverability of Account Content
in Litigation
Areas Where the Law is Still Developing
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 69
Litigation Discoverability of Social Media
• Courts have seen a dramatic increase in the number of social media postings that are requested to be produced in discovery.
• While emails and other electronic documents have flooded the courts for decades, the uniqueness of social media platforms presents various questions of privacy, accessibility, preservation, and admissibility.
• Courts have predominantly interpreted these questions in the same way as with emails, text messages, and other electronically stored information (ESI).
• Courts continue to require relevancy and forbid fishing expeditions.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 70
Discoverability of Public Posts
• Information shared on social media is treated like other forms of
discoverable information.
• Social media is often a fruitful area for discovery, as many
individuals use the communication tools (e.g. Facebook
messaging) and do not consider the discoverability of their
communications when do so (resulting in valuable admissions).
• There is no judicially accepted social media privilege or blanket
of privacy when it comes to social media sites.
• Information posted on the Internet and made available to the
public is generally considered to be public information because
the poster has no reasonable expectation of privacy in the
published material.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 71
Discoverability of Private Posts
• Private Messaging & Posts: When certain information is restricted
from the general public’s eyes, more formal discovery methods must be
utilized.
– Crispin v. Audigier found that whether the social media information should be
disclosed to the opposing party depended on the plaintiff’s privacy settings.
– Public information was available to the company, but the company needed a
subpoena pursuant to the Stored Communications Act to access the
information that was limited to certain viewers.
• General Rule: Keep traditional discovery rules in mind when seeking
social media information.
– Establish that the requested social media information is relevant to a claim or
defense,
– Select the most effective (and least invasive) method to obtain the information.
– The more direct and specific the request, the more likely it is to be enforced.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 72
Means of Discovery into Social Media
• Courts have approved various mechanisms to allow for
discovery into social media, while protecting employee privacy:
– Direct access via consent (subject to state and federal law)
– Discovery request
– Third party subpoenas
– In camera review
– Attorney’s eyes only
• Choosing the right mechanisms will depend on the type of
litigation and scope of information sought.
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 73
Social Media Role in Emotional Distress Claims
• Social media evidence is particularly probative in employment
litigation because individuals are becoming more willing to share
personal details of their lives on social media.
• Damaging social media evidence can harm a plaintiff’s case and
can be used as a vehicle to lower or eliminate damages.
• Examples:
– Social media picture and messages can be used to challenge
false disability claims;
– Undermine claims for severe emotional distress;
– Show malfeasance on the part of the plaintiff
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 74
Tips For Employers
Policies: Review the social media privacy laws in the states in
which you operate and ensure compliance.
Platforms: Keep up with social media platforms as they develop
and understand how they’re used by.
Investigate Public Material First: Gather what information is
publicly available. This avoids spoliation and strengthens
discovery demands.
Tailor Requests Narrowly: Courts are more likely to enforce
requests that are not “fishing expeditions.”
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 75
Thank you for joining us today!
©2016 Seyfarth Shaw LLP. All rights reserved. Private and Confidential 76
top related