Privacy and Social Media in the Workplace
© Bob E. Lype, 2012
PRIVACY AND SOCIAL MEDIA IN THE WORKPLACE
© Bob E. Lype, 2012
Prepared in connection with the seminar, "Employment Law: Beyond the Basics," presented by Sterling Education Services, LLC in Chattanooga, Tennessee on September 20, 2012
Privacy in the workplace is a developing area of law. There are dozens of privacy-related considerations in the employment law setting, and many of the current issues being considered by courts, employees' lawyers and employers' lawyers are novel, so that guidance is somewhat scarce. These novel, developing issues include:
• Monitoring of employee communications or conduct at work (including e-mails, internet usage, telephone calls, text messaging, instant messaging, etc.)
• Monitoring, or making employment decisions based upon, employees' use of social media such as Facebook®, Twitter®, LinkedIn®, MySpace®, blogging, etc.
• Use of new technologies, such as global positioning systems (GPS devices), Google Maps®, and the like to "track" or monitor employee activities both while they are supposedly working and while they are away from work.
The "internet," as we know it, was commercialized in the mid-1990s. However, in the last few years, there is a "second generation" of uses of the internet based upon what is commonly known as "Web 2.0" applications. These are applications which have made it easy for everyday folks to share information, collaborate, and interact on the World Wide Web almost instantaneously and inexpensively, through such things as blogs, Facebook, video sharing sites such as YouTube®, microblogs such as Twitter, and the like. According to Facebook, it had 800 million active users as of December, 2011. Twitter reported 200 million registered users, tweeting on average 230 million times per day. According to Blog Pulse, there were almost 180 million identified blogs as of December, 2011.
The conversational ease with which we can "post" comments, videos, rants, photos and the like through these Web 2.0 applications can cause us to say things "in the heat of the moment," or to use less discretion than we might use if we were writing a letter. In the employment law context, sometimes an employee might use a personal social media to express her personal feelings about a supervisor for the world to see. Sometimes the supervisor might post his gripes about an employee or group of employees. Sometimes such comments are sent out through the company's e-mail account. Sometimes a company's confidential or sensitive information, or even trade secrets, may be shared through a careless e-mail or "blast." There are a myriad of things which can "go wrong" with the use of the new technologies, from an employer's perspective.
In addition, most Web 2.0 applications allow for accounts which can be accessed from any computer with internet capabilities. This leads to employees accessing their social media sites while using their work-provided computers, or text messaging with their work-provided cell phones, etc.
The most frequently cited concerns for employers about these types of activities include:
• The drain on productivity caused by employees using social media and technology for personal reasons during work time.
• The possible increase in malaware and viruses which may be introduced into the company's computer systems, since social media provides a massive platform for hackers to commit fraud and launch spam.
• Damage to the company's brand and reputation resulting from poor decisions by employees which lead them to make unflattering, or even malicious, comments about the company or its employees.
On the other hand, the use of Web 2.0 applications and social media can have certain benefits for employers, as well. These can include:
• Some customers, clients, vendors, etc. may be impressed when a company effectively uses these means to communicate, showing that the company is up-to-date and business savvy.
• Social media may permit an expansion of the company's visibility in aid or marketing.
• Social media may be an effective recruiting tool which will attract the interest of potential employees.
• Because so much information is available in a public setting, companies may access the information to learn more about applicants and potential employees.
• Social media can provide an excellent means of soliciting feedback from customers, clients, and even employees is a simple, cost-effective, and timely manner.
There is a tendency to focus on the negative aspects of these new technologies in the workplace (and away from the workplace), but with the fast-paced developments and the seemingly limitless ways they can be used, employers and their attorneys should bear in mind that there can be a mixed bag of positives and negatives. They key for employers will be to learn how to minimize the negatives and maximize the positives.
A. BALANCING AN EMPLOYER'S RIGHT TO KNOW VERSUS THE EMPLOYEE'S PRIVACY
The "right to privacy" in the employment setting is a nebulous, difficult legal concept. Sometimes employees have argued that their "right to privacy" protects them against bodily intrusions such as searches or drug testing, or against intrusions into "personal spaces" such as locked lockers or desks, or against compelled disclosure of personal information. However, while American jurisprudence in the area of employee privacy law has reached some definitive conclusions in the area of public employees (who are entitled to Fourth Amendment protections), when it comes to the private employment setting there is no clear-cut, well settled body of law. Instead, courts generally look to longstanding principles from common law.
On the one hand, employees have some legitimate arguments that they should be permitted to avoid intrusive scrutiny into private matters by their employers. On the other hand, employers have some legitimate arguments that they have a right to know more about their employees and how they spend their time, to avoid liability and to ensure productivity. With advances in technology which make it easier to monitor, these conflicting interests have only sharpened. Today's employers not only can and do monitor and review employees' e-mails and voice mails, but many seek to monitor text messages cell phones provided by the employer, or employee Facebook, Twitter, LinkedIn, MySpace, and other blogging-type activities. Some employers even utilize GPS tracking to keep up with employees' physical locations during work hours. Many of these technological advances would have been hard to imagine just fifteen years ago, but now they provide employers enhanced opportunities to pry into the private lives of their employees.
By way of example of how employee privacy concerns may arise, in 2010 it was reported that a high school teacher was dismissed after posting on her Facebook page that she thought residents of the school district were "arrogant and snobby" and that she was "so not looking forward to another year [at the school]." H.S. Teacher Loses Job Over Facebook Posting, BOSTONCHANNEL.COM (Aug. 18, 2010). In Simonetti v. Delta Airlines Inc., 2005 WL 2897844 (N.D. Ga. 2005)(stayed pending Delta bankruptcy proceedings), the Complaint alleged that the flight attendant plaintiff was fired for posting suggestive pictures of herself in her company uniform. Two pizza chain employees were fired after posting a "prank" video on YouTube that showed them preparing sandwiches at work while one put cheese up his nose and mucus on the food. Stephanie Clifford, Video Prank at Domino's Taints Brand, N.Y. TIMES, Apr. 16, 2009, at B1. Were these examples of ill-advised decisions by employees, overly-aggressive decisions by employers, or both?
As was observed in "The Piper Lecture – Electronic Privacy and Employee Speech," 87 Chi.-Kent L. Rev. 901:
Employers have retrieved and read highly personal communications among intimates sent over work-provided equipment. They have disciplined or fired workers because of comments they posted on Facebook, or in private chat groups, even when the communications occurred off duty using the employees' home computers. In other cases, employers have seized personal passwords or used forensic techniques to access email exchanged on employees' personal email accounts. As these and other incidents suggest, the norms surrounding whether or when employees can expect privacy in their communications are highly uncertain.
Some general considerations regarding employee privacy rights and employer intrusions include:
Electronic Privacy Communications Act. The Electronic Privacy Communications Act ("EPCA")(18 U.S.C. §§ 2510 et seq.) protects most electronic communications, including e-mail, from interception, attempted interception, disclosure, and unauthorized access. Whether the statute applies depends upon the medium of the message, the system upon which the message is located, and whether the message is in transit or stored. Among the exceptions under the EPCA, there are three which would relieve an employer from liability for monitoring its employees' e-mails: (1) consent (which includes implied consent), (2) the "provider" exception (which applies when a company provides its own e-mail service or communications systems), and (3) the "intra company communications" exception (when the employer accesses stored communication files).
By way of example, in Fraser v. Nationwide Mutual Ins. Co., 352 F.3d 107 (3d Cir. 2003), the terminated employee argued that his employer had improperly "intercepted" his e-mails which were stored on the company's central file server. The Court held that no "interception" had occurred under the EPCA.
Stored Communications Act. The Stored Communications Act ("SCA")(18 U.S.C. §§ 2701 et seq.) prohibits unauthorized access to stored electronic communications, giving a private cause of action for unauthorized access to stored data found on a computer's hard drive or e-mail servers. The SCA also contains a "provider exception" which would apply to employer-provided accounts, equipment, etc. However, private actions may be brought where an employer accesses web-based e-mail accounts and the like (discussed further below).
General rule. It is generally well-settled than an employer may monitor an employee's use of company-provided e-mail systems, internet usage, voice mails, and the like. The key consideration for the employer is to have a clear, clearly communicated policy which removes any reasonable expectation of privacy from the employee in connection with such use of company equipment or accounts, whether that use occurs at work or away from work.
If an employee decides to pursue a tort-type invasion of privacy claim based upon an employer's review of e-mails, the employee must establish some reasonable expectation of privacy in the communications. In the cases which have considered such claims, this has proved to be a very difficult thing for employees to so. See, e.g. United States v. Hassoun, 2007 U.S. Dist. LEXIS 3404 (S.D. Fla. Jan. 17, 2007)(in light of employer's written policies, employee had no reasonable expectation of privacy in his office computer or e-mail); Garrity v. John Hancock Mutual Life Ins. Co., 2002 U.S. Dist LEXIS 8343 (D. Mass., May 7, 2002)(employee had no reasonable expectation of privacy in folders marked "personal"); Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996)(no reasonable expectation of privacy in work e-mail, even in the absence of a written e-mail policy).
With regard to a common law invasion of privacy claim, the most frequent subset of invasion of privacy claims relied upon by employees in these situations is "intrusion upon seclusion." While there has been some disagreement as to whether Tennessee specifically recognizes "intrusion upon seclusion"-type invasion of privacy claims [see Givens v. Mulliken, 75 S.W.3d 383 (Tenn. 2002)], the recent appellate case of Burnette v. Porter, 2011 Tenn. App. LEXIS 533 (M.S., decided September 30, 2011), cert. denied, ordered not published, 2012 Tenn. App. LEXIS 110 (Tenn., February 15, 2012) involved a claim based upon intrusion upon seclusion, and in that case the Court stated that Tennessee recognizes all four types of invasion of privacy claims, including unreasonable intrusion upon seclusion.
Recent lesson from the Supreme Court regarding reasonable expectation of privacy. In June, 2010, the United States Supreme Court decided a case in the context of a public employee (i.e., a police officer) who sent text messages via an employer-provided pager. The case was City of Ontario, California v. Quon, 130 S. Ct 2619, 177 L. Ed 2d 216 (decided June 17, 2010). While Quon involved a public employer, and while it involved text messages sent by pager, it is nonetheless instructive for all employers with regard to the reasonable expectation of privacy issue. In Quon, the police department supplied pagers which could send and receive text messages, but there was a monthly limit on the number of characters each pager could send or receive, with a resulting fee if the number of characters was exceeded. When Officer Quon and several other officers exceeded the monthly character limits for several months, the police chief reviewed transcripts of the text messages sent over a two-month period, in order to evaluate whether the existing character limits was too low, or whether the officers would need to pay the fee. It was discovered that many of Quon's messages were not work-related, and some were sexually explicit. The internal affairs division compared the dates and times of text messages to his work schedule, and he was ultimately disciplined for violating the department's rules.
Quon then filed a lawsuit alleging violations of his Fourth Amendment Rights (reminder: his employer was a governmental agency), as well as violations of the federal Stored Communications Act by the pager service provider. The question reviewed by the Supreme Court involved Quon's reasonable expectation of privacy.
The police department had a clear Computer Policy which pertained to e-mails, and which clearly stated that the department reserved the right to monitor and log all e-mail and internet use, with or without notice. On its face, the policy did not state that it applied to text messages sent via the pagers, and the Supreme Court noted that text messages are unlike e-mails in that they did not pass through the department's computer servers. However, in staff meetings the officers were told that pager messages "are considered e-mail messages," and that they "would be eligible for auditing." This was later confirmed in a written memorandum to officers. The Supreme Court had no trouble in deciding that the official policy of the department removed any reasonable expectation of privacy, for purposes of reviewing the reasonableness of the search under the Fourth Amendment claim.
However, there was more to the story. It turned out that Quon's supervisor had told Quon, the first or second time that he had an overage of characters, that "it was not his intent to audit an employee's text messages to see if the overage was due to work related transmissions," and that Quon could reimburse the overage fee rather than having any audit performed. Quon agreed and reimbursed the overage fee for several months, but the supervisor eventually "became tired of being a bill collector" and performed the audit.
Therefore, the Supreme Court had to consider whether these statements by the supervisor "overrode the official policy" and gave Quon the basis for a reasonable expectation of privacy? The Court then "punted" on the issue and stated that it would "assume arguendo" that Quon did have a reasonable expectation of privacy in the text messages. The Court was obviously wary about making any ruling on this issue which would be taken too broadly, noting:
Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. As one amici brief notes, many employers expect or at least tolerate personal use of such equipment by employees because it often increases worker efficiency. Another amicus points out that the law is beginning to respond to these developments, as some States have recently passed statutes requiring employers to notify employees when monitoring their electronic communications. At present, it is uncertain how workplace norms, and the law's treatment of them, will evolve....
Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self-identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. And employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.
A broad holding concerning employees' privacy expectations vis-a-vis employer-provided technological equipment might have implications for future cases that cannot be predicted. It is preferable to dispose of this case on narrower grounds.
Quon, 130 S. Ct at 2629-2630 (internal citations omitted).
The Court then proceeded to issue its decision based upon the assumption that the supervisor's statements overrode the department's policies and did allow the officer to have a reasonable expectation of privacy in his text messages. This quasi-ruling by the Supreme Court may give employers some heartburn, because it seems to indicate that even a good, effective company policy may be overridden by a passing comment by a supervisor. Ouch!
On the other hand, the Supreme Court's ultimate ruling will likely be helpful to employers. It held that "because the search was motivated by a legitimate work-related purpose, and because it was not excessive in scope, the search was reasonable," for purposes of the Fourth Amendment claim. While the Court was careful and narrow in the rationale behind its ruling regarding the expectation of privacy, it went out of its way to broaden its ultimate holding to include the private employer context, stating, "the Court also concludes that the search would be 'regarded as reasonable and normal in the private-employer context....'" 130 S. Ct at 2633 (emphasis added).
Therefore, for private employers, the Quon decision teaches:
• An employer's computer-usage and e-mail policies can be expanded to cover other applications, such as text messages, by follow-up clarifications and memoranda
• The computer-usage and e-mail policy can remove any reasonable expectation of privacy by the employee
• Passing comments by a supervisor may reinstate the reasonable expectation of privacy
• But monitoring of the e-mails, text messages and the like by a private employer may still be regarded as "reasonable," so long as it was (1) motivated by a legitimate work-related purpose, and (2) not excessive in scope
What about web-based e-mail accounts or "webmail"? Most decided cases involve employees' use of e-mail via accounts provided by the employer, using the employer's e-mail servers, etc. What about when an employee has, and uses, a personal, web-based e-mail account (such as a Yahoo® account, or a GMail® account, or an AOL® account) when the employee is at work?
The Electronic Communications Privacy Act (referenced above) would not apply to interception of web-based e-mail by an employer because no "interception" occurs, since the e-mails never touch the employer's server, but instead merely traverse the employer's network to and from the web-mail provider's server. However, it is less certain whether the Stored Communications Act (referenced above) might apply.
There is a scarcity of case-law and authorities addressing the monitoring of employee's personal web-mail accounts by an employer. In one case which addressed this question, Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914 (W.D. Wis. 2002), a senior pastor overheard a telephone conversation by a children's pastor which seemed to indicate possible homosexual relationships. The senior pastor sent the children's pastor home, then hired a technology consultant to examine the church's computers. The children's pastor had a password-protected Hotmail® account which had been accessed through the church's internet connection. The senior pastor was able to guess the password, and the consultant accessed the personal Hotmail® account on multiple occasions, and eventually the children's pastor was terminated. He sued and asserted a common law invasion of privacy claim, as well as a claim under the Stored Communications Act, arguing that his e-mails had not been accessed from employer-provided servers, but rather from a remote, web-based server owned by Microsoft. Unfortunately, the Fischer court never definitively answered the question whether there was a violation of the SCA, but it gave an indication that it believed the legislative history behind the SCA showed that the actions in that case should have been covered by the Act. The Fischer court also denied that the defendant was entitled to summary judgment on the invasion of privacy claim.
More recently, in a case from New York, Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, Inc., 813 F. Supp. 2d 489 (S.D.N.Y. 2011), this question was resolved by the trial court in a surprising twist to an employer. In Pure Power, employees of a gym had signed non-compete agreements, but they decided to set up a competing business. The employer filed a lawsuit based upon the non-compete agreements, using as evidence 546 e-mails from the employees' Hotmail® and GMail® accounts which showed that the employees had taken customer lists and training materials, as well as solicited customers. But how did the employer get access to the e-mails? It turned out that the computers the employees used while working for the employer "auto-stored" the user-name and password fields, so the employer simply logged on as the employees after they had left their employment (and, in fact, after the lawsuit was underway). The employees counter-sued the employer for violations of the Stored Communications Act, and the trial court agreed that violations had occurred, granting partial summary judgment in their favor. Moreover, the court stated that, even if the employees had not sustained actual damages, they were awarded $1,000 as statutory damages per violation. The employees wanted the court to find 546 separate violations, but it instead found that due to the proximity in time of the access to the e-mails, there was only one violation. In its final judgment, the trial court re-affirmed its earlier decision, although it found four separate violations of the SCA, resulting in a $4,000.00 damages award. While the Court noted that punitive damages and attorney's fees are recoverable under the SCA for willful or intentional violations, it declined to award either attorney's fees or punitive damages under the circumstances of that case, finding that the employer was unaware of the SCA and was unaware that its actions were unlawful.
In a similar, but somewhat different context, in Pietrylo v. Hillstone Restaurant Group, 2009 U.S. Dist. LEXIS 88702 (D. N.J. 2009), the plaintiff employees claimed that their employer had violated the Stored Communications Act when their managers had "knowingly or intentionally or purposefully accessed the Spec-Tator (a chat group on MySpace.com, accessed by invitation and then the members' MySpace accounts and passwords) without authorization on five occasions." The employer argued that it had been given permission and access to view the accounts by the employees, and therefore, since the access was authorized "by a user of that service with respect to a communication of or intended for that user," there is no statutory violation, pursuant to 18 U.S.C. § 2701(c)(2). One employee testified that she was asked for the password information by her supervisor, and she felt as though she "probably would have gotten in trouble" if she had not provided it. A jury found that the employer had violated the SCA. However, only compensatory damages of $2,500 were awarded.
Still, the lesson to employers is that accessing web-based e-mail accounts, or accessing password-protected employee chat groups, even if the employee supposedly gives permission, may lead to Stored Communications Act claims. Until there are more specific court rulings and authorities, the conventional wisdom is that the same "expectation of privacy" analysis should apply with regard to web-based employee accounts. However, employers should proceed with caution. The prudent employer will specifically include language in its policies stating that web-based e-mail is also subject to monitoring by the employer, and companies may consider blocking access to certain sites where web-mail is hosted or provided during employment. However, even then, there may be SCA violations.
Summary / conclusion regarding privacy concerns. As noted in Abril, "Blurred Boundaries: Social Media Privacy and the Twenty-First-Century Employee," 49 Am. Bus. L.J. 63 (Spring, 2012):
U.S. law emphasizes that the workplace and its resources are the property of the employer. The employer is generally free to dictate permissible use of company property as the employer sees fit. Workplace privacy is not an employee right, but a restriction placed upon the employer's property rights. This restriction may arise constitutionally, legislatively, or in tort law, but in its essence it must be "reasonable" and not unduly erode the employer's property rights. Accordingly, the inquiry into whether the employee had a reasonable expectation of privacy in the intruded space is at the core of the law governing workplace privacy. Because the expectations lack an independent normative basis, the evaluation of the reasonableness of privacy expectations can be a chicken-and-egg analysis in which normative behavior informs the law and the law, in turn, influences normative behavior. Furthermore, from a legal perspective, reasonable expectations of privacy are formed in a two-step process. First, the claimant must have a subjective expectation of privacy. Second, there must also be an objective expectation of privacy that society accepts and legitimizes. Most employee arguments for privacy are foiled in step one by such instruments as employer communications and policies, but remain grounded in a widespread, societal norm the legal analysis hardly ever reaches.
B. WIRELESS DEVICES AND EMPLOYER AND EMPLOYEE PRIVACY VIOLATIONS.
"Wireless devices" is a broad term, which can include communications by cellular telephones, instant messaging and text messaging via cellular telephones, and similar types of communications. It can also include other types of technologies, such as personal digital assistants (PDAs), global positioning system (GPS) units, and other such technologies. "Wireless" refers to the use of energy sources to transfer information, including radio frequencies, infra red lights, laser lights and "acoustic energy." Wireless communication includes the communications between a television set and a remote control, or permitting a computer to make an internet connection via "Wi-Fi," or BlueTooth® connections. "Wireless" is not necessarily a synonym for "cordless."
Text messaging and similar "wireless" communications. Employee communications by wireless devices can include text messaging, cellular telephone conversations, instant messaging and e-mails sent via wireless devices such as Blackberry® phones. A 2008 Nielsen study showed that U.S. wireless subscribers now send and receive more text messages than mobile phone calls. A 2007 survey showed that 19% of "smart phone" users worked more than 50 hours per week, and one-third believed that their smart phones "enslaved them to their work."
Employers are learning that they can face liability because of text messages and instant messages, just as they learned about e-mails over the last decade. In one case, a company employee received a sexually explicit text message from her boss's phone at 2:00 a.m. The boss denied sending the message, claiming that a friend used his phone that night without telling him. Nonetheless, the company paid a $50,000 settlement. In another example, Central Michigan University paid a $450,000 settlement to two soccer players because of alleged sexually explicit text messages sent by their coach.
With regard to expectations of privacy and an employer's right to monitor text messaging and other forms of wireless communications sent via company-provided cellular telephones and similar technologies, the generally accepted "rule of thumb" remains the same as with regard to computer and e-mail monitoring – employers should have a clearly communicated policy which removes any reasonable expectation of privacy by the employee, and then, employers should have the right to monitor such communications. Of course, having the right to do so does not necessarily make this a prudent course in all cases.
The most recent guidance regarding monitoring text messages and similar communications comes from the 2010 Supreme Court case of City of Ontario, California v. Quon, discussed above.
Reminder to Tennessee employers: no texting while driving law. Tennessee employers should also be mindful that Tennessee has passed legislation which prohibits texting while driving. The law is codified at Tenn. Code Ann. § 55-8-199. If an employer provides a cellular telephone to an employee who drives during the course of employment, the employer should adopt and communicate a clear policy prohibiting texting while driving, both for the safety of employees and others, and also to create at least an argument for a defense against respondeat superior liability following an accident caused by an employee texting while driving on company business.
Other wireless device concerns: GPS and RFID technology. Besides the more obvious examples of wireless devices (smart phones, text messaging, etc.), there are at least two new forefront issues for employers involving wireless technologies which impact employee privacy concerns. They involve the application of new technologies by employers in new and unique ways – so new, in fact, that there is virtually no specific legal guidance on their part to date. However, employers and their attorneys should be aware of the new technologies and the potential employment-related legal claims which will almost certainly follow. The two technologies are "global positioning system" (GPS) technology and "radio frequency identification" (RFID) technology.
Creative employers have begun to see new applications for GPS technology, which uses satellites to communicate with devices on the ground to determine the device's exact location at any given point in time. Some of the new applications include tracking the whereabouts of employees who travel as part of their job, as well as logging driving for purposes of "time worked" and avoiding unauthorized overtime, and disciplining employees for unauthorized deviations and unproductive activities.
In the public sector, for example, "the city of Oakland, California installed GPS trackers on vehicles in response to complaints about unsatisfactory street sweeping. Similarly, King County, Washington installed GPS equipment on solid waste trailers to maximize the efficient use of the equipment. Public schools are also using GPS to track the location of school buses, citing the need to monitor bus drivers and bus routes, speeds, and idling times." Rosenberg, "Location Surveillance by GPS: Balancing an Employer's Business Interest with Employee Privacy," 6 Wash. J.L. Tech. & Arts 143 (Autumn 2010).
Private employers have also begun using GPS tracking on employer-owned delivery vehicles "to increase productivity, improve customer service, reduce labor costs, and promote responsible behavior among employees. By using GPS, employers can receive real-time information about vehicle locations to help deal with customers' complaints and potentially lower costs by efficiently coordinating delivery fleets. Employees can use GPS to get directions and coordinate delivery routes according to the availability of vehicles and traffic patterns." Id.
To date, only a handful of legal challenges by employees have resulted in lawsuits against employers based upon the use of GPS technology, and thus far, it does not appear that any employee legal challenges have prevailed. In Elgin v. St. Louis Coca-Cola Bottling Co., 2005 U.S. Dist. LEXIS 28976 (E.D. Mo. 2005), the employer tracked an employer-owned vehicle assigned to the plaintiff during both working and non-working hours, and the employee had not been informed ahead of time about the practice. He sued for invasion of privacy and "intrusion upon seclusion," but his claim was dismissed because the court found that the use of the GPS to track the location of the company car did not constitute a substantial intrusion upon his seclusion, "as it revealed no more than highly public information as to the van's location." Likewise, in Girardi v. City of Bridgeport, 985 A. 2d 328 (Conn. 2010), the employer (i.e., the City) had installed a GPS device in a City-owned vehicle driven by a fire inspector, without the employee's knowledge. Information collected from the GPS device was used to discipline the fire inspector for poor job performance. Connecticut had a statute which prohibited an employer from electronically monitoring an employee's activities without prior notice, and the employee filed a lawsuit based upon the statute. The Connecticut Supreme Court held that the statute did not create a private right of action, and it also held that the employer had not violated the employee's expectation of privacy because the GPS unit did not provide any further information than could have been obtained through visual surveillance of the public roads.
RFID technology is similar to GPC technology, in that it involves "tracking," except that it tracks by radio frequency. In business, RFID is used to track sales, monitor inventory, and prevent theft. (Think of the "tags" which must be removed from clothing you purchase at a store before you exit through the "sensor" doors). RFID has been used in medicine to obtain vital information from patients who cannot communicate, such as Alzheimer's patients, by implanting transponder "tags" (sometimes called microchips) the size of a grain of rice under the skin. Can you imagine the ways an employer might utilize this technology?
Actually, some employers are already utilizing RFID technology with employees, such as by issuing identification cards which allow the employee access into parking lots, buildings and rooms; or the "EZPass" system which allows employees to pass toll gates on toll roads without stopping. This same technology also allows employers to determine the time an employer passed through the toll gate. But would any employer dare to suggest implanting a "tag" underneath the employee's skin – and would any employee ever go along with that? In 2006, a Cincinnati company gave employees the "option" of receiving such tags, but it also conditioned employee access to certain areas of its premises to having such a tag. According to a press release, "the VeriChip is a glass encapsulated RFID tag that is injected into the flesh of the triceps area of the arm to uniquely number and identify individuals. The tag can be read through a person's clothing, silently and invisibly, by radio waves from a few inches away." However, in a twist, concerns were raised that the implanted chip could be "skimmed and cloned by a hacker," and thus, it might actually decrease security for the business.
Even without subcutaneous tagging, employers can and do still utilize this technology with employees with such items as company-provided credit cards, parking cards, cell phones, etc. Until legal precedents and authorities are developed, we may assume that the legal analysis would be much the same as with regard to GPS technology. However, if employers begin requiring under-the-skin tagging, expect new legal arguments and new legal implications.
C. MONITORING AND CREATING POLICIES REGARDING INTERNET, EMAIL, TEXTING AND OTHER ELECTRONIC COMMUNICATIONS.
The first and most important thing an employer should do regarding its plan to monitor employees' communications and technology use is to provide notice to the employees. As the Court stated in U.S. v. Bailey, 272 F. Supp. 2d 822,835 (D. Nebraska 2003), "an employer's notice to an employee that workplace files, Internet use, and e-mail may be monitored undermines the reasonableness of an employee's claim that he or she believed such information was private and not subject to search." Adequate notice removes the employee's claim of any reasonable expectation of privacy.
Such notice also serves the ultimate purpose of the employer's monitoring policy – altering employee's behavior. In addition, when an employer provides notice of its policy with an explanation of the legitimate business interests which lead to the need for the policy, then any stigma that the employer is "spying on its employees" can be removed.
If an employer already has an existing electronic communication and/or monitoring policy, it should review the policy to ensure that it extends to all forms of electronic communications. This is one of the lessons from the Supreme Court's 2010 Quon decision. As a reminder, the employer's policy in Quon covered e-mail communications, but as originally written, it did not cover text messages. However, the employer provided both verbal and written notice that text messages would be treated the same as e-mails, which worked in the employer's favor.
In addition, in another lesson from Quon, an employer should ensure that there are no "informal policies" in place which would undermine the written policies. In Quon, a supervisor had verbally re-assured the employee that his text messages would not be monitored, so long as he paid the monthly text message overage fee. The Supreme Court "assumed" that the supervisor's statement created a reasonable expectation of privacy on the part of the employee in his text messages. Employers should educate their supervisors regarding the electronic communications policies, and they should instruct supervisors to not make any statements, promises, etc. inconsistent with the policies.
One commentator has summarized the following key principles to be included in an employer's policy: (1) have a formal written policy and distribute it to all employees; (2) use the policy to inform employees that e-mail and other employer provided hardware are for business use only; (3) enforce the policy to avoid creating an informal expectation of privacy through lack of enforcement; (4) prohibit offensive or sexually explicit material; and (5) include all forms of electronic communications in the policy. See Alper, "Managing the Electronic Workplace," 36th Annual Institute on Employment Law 2007.
With regard to social media policies, the Society for Human Resource Management (SHRM) says that a "social networking use policy" should include the following elements: (1) define what social networking is particular to your organization, so employees know exactly what is meant by the term; (2) establish a clear and defined purpose for the policy; (3) communicate benefits of social networking and having a policy; (4) provide a clear platform for educating employees; (5) take into consideration any legal ramifications of not following laws; (6) refer to proprietary and confidential information at risk; (7) talk about productivity in terms of social networking; (8) provide guidance regarding social networking outside of company time that could be associated with the company, employees or customers (some employers may prohibit posting of company information on social networking sites without explicit consent); and (9) outline disciplinary measures to be taken for policy violations.
As is discussed in greater detail below, the National Labor Relations Board has taken great interest in cases involving employment actions based upon employee postings on social media sites. In particular, the NLRB enforces statutory prohibitions against punishing employees for engaging in protected "concerted activities." In this context, on May 30, 2012, the Office of the General Counsel of the NLRB issued its "Report Concerning Social Media Cases." As part of that Report, the NLRB published its own version of an acceptable "Social Media Policy." The NLRB Policy is as follows:
Social Media Policy
Updated: May 4, 2012
At [Employer], we understand that social media can be a fun and rewarding way to share your life and opinions with family, friends and co-workers around the world. However, use of social media also presents certain risks and carries with it certain responsibilities. To assist you in making responsible decisions about your use of social media, we have established these guidelines for appropriate use of social media. This policy applies to all associates who work for [Employer], or one of its subsidiary companies in the United States ([Employer]). Managers and supervisors should use the supplemental Social Media Management Guidelines for additional guidance in administering the policy.
In the rapidly expanding world of electronic communication, social media can mean many things. Social media includes all means of communicating or posting information or content of any sort on the Internet, including to your own or someone else's web log or blog, journal or diary, personal web site, social networking or affinity web site, web bulletin board or a chat room, whether or not associated or affiliated with [Employer], as well as any other form of electronic communication.
The same principles and guidelines found in [Employer] policies and three basic beliefs apply to your activities online. Ultimately, you are solely responsible for what you post online. Before creating online content, consider some of the risks and rewards that are involved. Keep in mind that any of your conduct that adversely affects your job performance, the performance of fellow associates or otherwise adversely affects members, customers, suppliers, people who work on behalf of [Employer] or [Employer's] legitimate business interests may result in disciplinary action up to and including termination.
Know and follow the rules
Carefully read these guidelines, the [Employer] Statement of Ethics Policy, the [Employer] Information Policy and the Discrimination & Harassment Prevention Policy, and ensure your postings are consistent with these policies. Inappropriate postings that may include discriminatory remarks, harassment, and threats of violence or similar inappropriate or unlawful conduct will not be tolerated and may subject you to disciplinary action up to and including termination.
Always be fair and courteous to fellow associates, customers, members, suppliers or people who work on behalf of [Employer]. Also, keep in mind that you are more likely to resolved work related complaints by speaking directly with your co-workers or by utilizing our Open Door Policy than by posting complaints to a social media outlet. Nevertheless, if you decide to post complaints or criticism, avoid using statements, photographs, video or audio that reasonably could be viewed as malicious, obscene, threatening or intimidating, that disparage customers, members, associates or suppliers, or that might constitute harassment or bullying. Examples of such conduct might include offensive posts meant to intentionally harm someone's reputation or posts that could contribute to a hostile work environment on the basis of race, sex, disability, religion or any other status protected by law or company policy.
Be honest and accurate
Make sure you are always honest and accurate when posting information or news, and if you make a mistake, correct it quickly. Be open about any previous posts you have altered. Remember that the Internet archives almost everything; therefore, even deleted postings can be searched. Never post any information or rumors that you know to be false about [Employer], fellow associates, members, customers, suppliers, people working on behalf of [Employer] or competitors.
Post only appropriate and respectful content
Maintain the confidentiality of [Employer] trade secrets and private or confidential information. Trades secrets may include information regarding the development of systems, processes, products, know-how and technology. Do not post internal reports, policies, procedures or other internal business-related confidential communications.
Respect financial disclosure laws. It is illegal to communicate or give a "tip" on inside information to others so that they may buy or sell stocks or securities. Such online conduct may also violate the Insider Trading Policy.
Do not create a link from your blog, website or other social networking site to a [Employer] website without identifying yourself as a [Employer] associate.
Express only your personal opinions. Never represent yourself as a spokesperson for [Employer]. If [Employer] is a subject of the content you are creating, be clear and open about the fact that you are an associate and make it clear that your views do not represent those of [Employer], fellow associates, members, customers, suppliers or people working on behalf of [Employer]. If you do publish a blog or post online related to the work you do or subjects associated with [Employer], make it clear that you are not speaking on behalf of [Employer]. It is best to include a disclaimer such as "The postings on this site are my own and do not necessarily reflect the views of [Employer]."
Using social media at work
Refrain from using social media while on work time or on equipment we provide, unless it is work-related as authorized by your manager or consistent with the Company Equipment Policy. Do not use [Employer] email addresses to register on social networks, blogs or other online tools utilized for personal use.
Retaliation is prohibited
[Employer] prohibits taking negative action against any associate for reporting a possible deviation from this policy or for cooperating in an investigation. Any associate who retaliates against another associate for reporting a possible deviation from this policy or for cooperating in an investigation will be subject to disciplinary action, up to and including termination.
Associates should not speak to the media on [Employer's] behalf without contacting the Corporate Affairs Department. All media inquiries should be directed to them.
For more information
If you have questions or need further guidance, please contact your HR representative.
Interestingly, the NLRB Report also identified provisions in social networking employment policies which, according to the NLRB, are not acceptable and which are disapproved, because they could lead employees to believe that they are prohibited from discussing wages and working conditions (i.e., from engaging in protected "concerted activities"). Among the disapproved policies are:
• Policies which prohibit language which is either "unprofessional, inappropriate, disparaging, inflammatory or defamatory:"
• Policies which allow only "appropriate" or "professional" language
• Policies that prohibit discriminatory, defamatory or harassing web entries about employees, the work environment, or work-related issues
• Policies that prohibit employees from disclosing confidential, sensitive, or non-public information about the company without prior approval
• Policies that prohibit an employee from using the company's name without prior approval
• Policies that prohibit employees from communicating with the media
• Policies that require an employee to state that all posted comments belong to the employee and not to the employer
D. USE OF SOCIAL NETWORKING SITES IN THE EMPLOYMENT CONTEXT: RISKS, BEST PRACTICES AND POLICIES
1. Employer Risks With Using Social Networking Sites for Employment Decisions.
"Social networking" sites can include Facebook, Twitter, LinkedIn, MySpace, and other similar sites. These sites serve as all-purpose platforms for on-line networking. Users create a profile which includes a variety of personal and professional information (e.g., date of birth, education, employer, marital status, employment history, expertise, awards), and then the users invite others to join their networks. Users can also contact others within the networks of their contacts, expanding their on-line connections.
Users of social networking sites can also share information through various "channels" of communication, including messaging, video file sharing, discussion forums, and blogging (short for "web logging").
For those seeking employment, social networking sites can serve as a useful tool to complement the more traditional job-seeking efforts. For example, LinkedIn claims to have 8.5 million professional users from 150 industries across the globe.
Employers have also begun to use social networking sites in efforts to recruit candidates for employment. According to one source, roughly half of employers in the U.S. are using internet searches to "vet" job candidates. Employers can search sites for individuals with skill-sets and experience which matches job openings. This includes the ability to locate "passive" job candidates, i.e., those who might be interested, but are not formally looking for a job opportunity.
Employers also have begun to use social networking sites as a part of their background checks on applicants. There is a wealth of information which can be "mined" from an applicant's various social networking sites, which can include job attitudes, political affiliations, age and marital status. "Vetting" through reviewing social networking sites can also expose those who would lie or cheat to get a job. According to one source from 2006, 44% of job applicants lied about their work histories, 41% lied about their education, and 23% falsified credentials or licenses. But should an employer use social networking as part of a background check? What are the legal risks?
Because information posted on internet sources is generally considered public, and because information posted on web page "profiles" generally consists of voluntary disclosures, employers are not generally restricted from accessing such information. However, employers should be aware of two important caveats: (1) authentication – everything located on the internet is not infallibly true and correct; and (2) an employer cannot use information gathered in this manner to screen out applicants based upon membership in protected classes, such as racial groups, ethnic groups, religious persuasions, etc. Finally, because review of candidate profiles on social networking sites is likely to retrieve isolated bits of personal information, the employer who utilizes such a search risks making judgments out of context.
Even if an employer properly uses social networking to screen applicants, that employer may be required to disclose and results obtained from the search used in the employment decision by the Fair Credit Reporting Act. Some employers are enlisting third party companies (such as Social Intelligence Corp. or InfoCheck USA) to look into online social activities of potential employees, and those companies are asked to filter out protected class information. One of the key considerations for the employer is uniformity in terms of which social media sites will be checked and which applicants or groups of applicants will be screened in this manner. These screening decisions should not be made on an ad hoc basis.
2. Developing Trend- Requiring an Applicant to Divulge His or Her Social Media Passwords.
An interesting trend of late is the practice of some employers of requiring applicants to divulge their social media passwords, so that their information can be checked, including information the applicant has designated as "private" or for "friends only." An AP story from March 20, 2012 sites some specific examples:
• Justin Bassett had just finished answering a few character questions when the interviewer turned to her computer to search for his Facebook page. When she could not see his private profile, she turned back and asked him to hand over his login information.
• Robert Collins was returning to his job as a security guard at the Maryland Department of Public Safety after taking leave following his mother's death. Gearing a reinstatement interview, he was asked for his login and password, purportedly so the agency could check for any "gang affiliations."
• In Spotsylvania County, Virginia, the sheriff's department requires applicants to "friend" background investigators for law enforcement jobs
• Several Illinois sheriff's departments require applicants to sign into social media sites to be screened
• Sears has used a Facebook "app" which permits the applicant to log onto the Sears jobsite, and when the applicant does so, the "app" draws information from the profile, such as a "friends list"
Some employers' lawyers argue that there are circumstances in which it may be important to require an employee or applicant to divulge log-in or password information, such as in order to properly investigate a complaint that an employee is using social media to harass a co-worker or engage in some other work-related misconduct. However, it would seem that these situations should be rare.
3. Supervisors "Friending" or "Following" Subordinate Employees.
Similar concerns are raised when a boss becomes a Facebook "friend" with a subordinate employee, or when one "follows" the other on Twitter. One survey reports that one-third of employees believe that connecting with their supervisor boosts their chance of advancing within the company, while 29% felt pressure to accept invitations from their supervisor to connect on social networks. Expect that litigation will ensue with respect to these trends.
4. Best Practices and Policies to Minimize Employer Risk.
To minimize the risk of a discrimination-type claim on account of "screening" applicants through a review of social networking sites, there are various things an employer can do. The "safest" way an employer can utilize social networking information in this manner is to obtain the applicant's consent and only conduct the review after a conditional job offer has been extended. However, in the real world, few employers are willing to wait until that point before mining the publicly-available data.
Another best practice for employers in this regard is to avoid relying exclusively, or almost exclusively, on the results from any social network review in making any employment decisions.
In addition, employers should clearly train their managers, and all persons who may be involved in the review and/or decision-making process, of the legal obligation to avoid gathering any information about membership in any protected class, or any information which might tend to disclose an applicant's or employee's medical conditions.
Finally, employers should consider working with their IT personnel to come up with a way to verify and confirm what information has been accessed. While a "scout's honor" system might work, a better plan would be to come up with some analysis of web logs which shows which sites were accessed, on which dates, by which computers. Then, so long as the supervisors conducting the searches and reviews understand and honor the company's policies, there will be objective evidence to support, and hopefully to defeat, a claim by a disgruntled, unsuccessful applicant.
E. OFF THE JOB BEHAVIOR, E.G., BLOGGING AND DATING.
Facebook and blogging. As is noted above, there are millions of Americans who regularly use Facebook accounts, write web logs or "blogs," etc. Any American employer of any appreciable size is bound to have multiple employees who use these outlets to express their frustrations, to tell funny anecdotes, to spread some amount of gossip, etc. Often the gripes involve supervisory employees, or the funny anecdotes and rumors involve co-workers. What can, and what should, and employer do with regard to such behavior?
Employers can be pretty savvy. Consider the soon-to-be Cisco employee who posted the following "tweet" on Twitter: "Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work." A Cisco supervisor saw the "tweet" and tweeted back, "Who is the hiring manager? I'm sure they would love to know that you will hate the work. We here are Cisco are well versed in the web." The job offer was rescinded shortly thereafter.
There is little data to show how many employees have been terminated for blogging-type activities or posts on social networking sites like Facebook. However, there are at least some examples of it, and in fact, there is a term which has been coined to describe this – "dooced." The term comes from the real-life example of the termination of an employee named Heather Armstrong after her supervisor saw a personal blog – located at www.dooce.com – which contained satirical comments critical of management.
A handful of states have enacted legislation which limits the rights of employers to take employment actions based upon such off-duty conduct as blogging and Facebook posts (California, New York, Colorado, Montana and North Dakota).
Even in states where no such statutes have been enacted, employers could face legal liability for employment decisions based upon off-duty blogging or Facebook posts, such as: (1) if the employee blogs or posts about status in a protected class, or a medical condition, or a religious belief – employment decisions could lead to a discrimination claim; or (2) if the employee blogs or posts about alleged harassment or discrimination at work – employment decisions could lead to a retaliation claim; or (3) if the employee "whistleblows" about alleged company wrongdoing – employment decisions could lead to a retaliation claim, or possibly a Sarbanes-Oxley type whistleblower claim.
On the other side of the spectrum, employers could be held liable and responsible for certain communications by their employees, even if the communications occur away from work. For example, if an employee of a publicly traded company revealed non-public information about the company's financial forecasts through a blog or post, the employer could be held liable under securities laws. In addition, social media posts can constitute a type of harassment for which employers may be held liable.
Discovery issues. One developing topic for employers and their lawyers is whether information posted or available through blogs, social networks sites, etc., is subject to discovery in litigation? While the Rules of Civil Procedure have been amended to address "e-discovery," those rules are not always applicable to information contained on social networking sites, since the data in question does not "reside" on the servers or computers of the litigants. In addition, there are likely to be arguments about the relevance, as well as the admissibility, of any evidence obtained from such sites. Would a person's "friendship" status have any legal significance to a lawsuit? In Quigley Corp. v. Karkus, 2009 U.S. Dist. LEXIS 41296 (E. D. Pa. 2009), this question arose in the context of a securities claim and a shareholder's failure to disclose this "relationship." The Court held that "[f]or purposes of this litigation, the Court assigns no significance to the Facebook 'friends' reference . . . ." However, the litigation still involved discovery issues related to the Facebook status. In Mackelprang v. Fidelity National Title Agency of Nevada, Inc., 2007 U.S. Dist. LEXIS 2379 (D. Nev. 2009), the plaintiff alleged that she had been sexually harassed by her employer, and the employer sought discovery of private messages sent by the plaintiff through her MySpace account to impeach the plaintiff's credibility, because the company believed the messages would show that the plaintiff was involved in an extramarital affair. The court in that case did not permit the "fishing expedition" discovery to proceed, because it was not directly related to plaintiff's employment.
In a recent case, EEOC v. Simply Storage Management, LLC, 2010 U.S. Dist. LEXIS 52766 (S. D. Ind. 2010), the court permitted an employer to obtain discovery of an employee's social networking activity on MySpace and Facebook, even though the employee's "privacy settings" had been made "private" and not available to the general public.
Dating and other out-of-work activities. The National Institute of Business Management suggests a "litmus test" for employers in deciding whether to "police" an employee's off-duty conduct: "If an employee's off-duty conduct puts your company in legal or financial jeopardy, courts will be more willing to let you regulate it." Of course, this is not a definitive legal standard.
There are a myriad of examples of off-duty conduct which might clash with the interests of the employer. A sampling of examples, together with a sampling of how courts have viewed the employer actions, includes:
• Dating and/or sexual relationships (e.g., a company terminated an executive after he attended a convention with a woman who was not his spouse in Staats v. Ohio Nat'l Life Ins. Co., 620 F. Supp. 118 (W.D. Pa 1985); an employee was terminated due to inter-racial dating in Adams v. Governor's Comm. on Post-Secondary Education, 26 Fair Empl. Prac. Cases (BNA) 1348 (N.D. Ga. 1981))
• Sexual orientation
• Civic/political activities
• Leisure activities
Sonne, "Monitoring for Quality Assurance: Employer Regulation of Off-Duty Behavior," 43 Ga. L. Rev. 133 (Fall, 2008) lists several examples of employer actions based upon off-duty conduct (internal citations omitted):
• In the early twentieth century, Henry Ford was notorious for creating a "Sociology Department," which was "responsible for ferreting out immoral and undesirable behavior on the part of Ford employees" both on and off the job site.
• In the 1990s, retail giant Wal-Mart Stores, Inc. maintained a policy barring a "dating relationship between a married associate and another associate, other than his or her own spouse."
• In the summer of 1999, Arizona's Scottsdale Healthcare fired two nurses for violating a policy against "immoral or indecent conduct while on or off duty" by running a sexually explicit website.
• Around January 2003, Weyco Inc., a mid-sized administrator of medical benefits, announced that "it would no longer hire smokers and told current employees who smoked that they had 15 months to quit."
• In May 2003, a Budweiser beer distributor apparently terminated an employee for his public drinking of a beer produced by its arch-rival, Coors, while a similar incident occurred in 2005 when a Miller beer distributor's employee drank a Budweiser.
• In January 2006, Gannett Co., a large publishing company, "added a $ 50 a month surcharge to the health premiums of its employees who smoke." PepsiCo charges smokers $100 more per year.
• In May 2007, the Olive Garden restaurant terminated a supervisor "after she posted photos of herself, her [underage] daughter, and other restaurant employees hoisting empty beer bottles" on MySpace.
There are simply too many cases, and too many examples, to discuss in this article and seminar materials. The general approach has been to uphold employers' decisions in most instances based upon the employment at will doctrine. Employees have advanced a number of arguments and claims, with varying degrees of success, including claims based upon invas