[authors: Kaiser Wahab and Lauren Mack]
Employers are now on full alert that employee’s online activity in the office and in the home has a direct, often beneficial / often detrimental impact, on the bottom line. And with each day’s headlines new complications and permutations challenge any chance at a one size fits all understanding. Hence, the few legal boundaries that employers can rely on should be on any manager’s desk.
Below is a summary of major online employment issues and what employers can and cannot do about them. Also, there are footnotes and a breakdown of cases in the arena for reference.
1. May employers use the Internet and social media to perform background checks on employees?
An employer may look at anything that is publicly available on the Internet to verify a prospective employee’s credentials. An employer who accesses any information that is password protected or otherwise not available to the public without the authorization of the potential employee will be subject to liability under the Stored Communications Act (SCA), which prohibits intentionally accessing or exceeding authorization to access a facility in which an electronic communication is provided and thereby obtaining access to an electronic communication stored in the system.
If a third party is hired to conduct the background check, the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) requires that the employee consent to the check. Investigations related to suspected employment misconduct, compliance with federal, state or local laws and regulations, or any preexisting written policies of the employer are exempted from the consent requirement under the Fair and Accurate Credit Transactions Act.
An employer may not use information gathered from social media in order to screen out applicants or take adverse action against an employee based on a protected category, such as race or age.
2. May employers monitor employee email?
Yes, and it is often in the employer’s best interest to do so. NOTE 1 Employers should be aware of what is happening in the workplace, and monitoring work email is one of the best ways to find out. Once an employer decides to monitor email, it is important for the monitoring to be consistent and effective, as monitoring also comes with a duty to investigate and take remedial action if the employer becomes aware of sexual harassment or illegal activity. NOTE 2 Otherwise, the employer may be held liable for knowingly allowing the inappropriate activity to happen.
When it comes to monitoring the personal emails of employees that are accessed on work devices, however, the line is not as clear. The answer turns on whether the employee had a reasonable expectation of privacy in the personal account when it was accessed at work. It has proven difficult for employees to successfully establish a reasonable expectation of privacy in personal emails accessed on company computers, especially if the use of personal email is forbidden while at work or company policy makes it clear that all communications will be monitored. NOTE 3 Certain types of statutorily protected communications may not be accessed by employers in any situation, including emails from an employee’s attorney. NOTE 4
3. May an employer monitor employee conduct on social media?
Employers may monitor their employees’ social media use as long as it does not violate any laws or ethics rules. Just as with background checks, activity that an employee has chosen to make public is fair game, but employers may not violate the SCA by pressuring an employee for a password to a personal social media account, creating a fake account in order to gain access, or otherwise “breaking in” to a protected social media page. NOTE 5 Monitoring of social media profiles and information should be consistent regardless of their race, gender, or other protected class status.
4. What if an employee’s off-duty social media use is unacceptable to the employer?
Several states have laws that protect off-duty conduct, although it is unclear whether they apply to off-duty communications. For example, New York Labor Law §201-d protects employees engaging in recreational or certain political activities if they are off duty and not using work equipment or work property.
Recently, however, the NLRB has taken a strong stance on defending the rights of employees to engage in protected activities on social networks while not at work. An NLRB challenge of American Medical Response’s social media policy ended in early 2011 when AMR agreed to not restrict, discipline, or discharge employees from engaging in protected activities while not at work, as such discussing their wages, hours, or working conditions. As both union and non-union employees are protected by the National Labor Relations Act (NLRA), all employers should have narrowly tailored policies that avoid restricting protected activities outside of work and consider whether an employee’s post on a social media network is protected activity before taking any action against that employee. NOTE 6
5. May an employer regulate employees’ Internet use at the office?
Unless there is a state statute or ethics rule that prohibits monitoring work time, an employer may monitor how much time employee spend using the Internet and social media networks at the office. NOTE 7 Whether the use is for employer purposes or not does not matter, although employers may want to consider giving employees some input into the company social media policy if social media use is a job requirement.
6. Can an employer ever be held liable for an employee’s online conduct?
FTC regulations (16 CFR § 255.1(d)) hold advertisers liable for failure to disclose material connections between themselves and their endorsers. This means that a company can be held liable every time an employee endorses the company’s product or service without disclosing his or her relationship, whether the employer was aware of the endorsement or not. An endorsement could include as little as positive comment on a blog or social media site if it reflects the employee’s “opinions, beliefs, or experiences.” For this reason, company policy should bar all employee communications about company products and services, or at least prohibit those without the proper disclosures.
Employers should also regulate what employees post on the company’s website. A 2008 SEC guideline (Release No. 34-58288) made it clear that statements made by an employee in a company interactive forum are never made in an individual capacity, and the company may therefore be held liable for those comments as well.
7. May an employer keep an employee (or ex-employee) from making defamatory comments about the employer online? Can the employer successfully sue the website hosting the comments if this happens?
An employer may terminate current employees for making defamatory comments about the company online, but courts will avoid enjoining ex-employees from making such comments as it is a prior restraint on free speech. NOTE 8
An employer will not be able to obtain damages from any website hosting offensive comments due to the Communications Decency Act (47 U.S.C. § 230 et seq.), which protects the provider of an interactive computer service from liability arising from communications made by third parties in most cases. NOTE 9
8. What can an employer do if an employee posts trade secrets or confidential information online?
While there may be some common law protection, employers should have confidentiality agreements and policies in place to avoid employee disclosure of confidential information. Employers must wait to take action against the employee until after the information has been disclosed, as enjoining employees from posting confidential information or intellectual property also creates a prior restraint on free speech. NOTE 10 If the content posted is copyrighted by the company, the employer may request that the infringing content be removed under the procedures outlined in 17 U.S.C. § 512(c) as long as the employee’s post cannot be considered a fair use.
9. Are there additional protections or considerations when it comes to union employees?
Employer policies prohibiting employees from using email for non-work related solicitations do not violate the NLRA and union employees may be disciplined for online conduct as long as it is not protected activity. NOTE 11 Employers may need to give notice to the union with an opportunity to bargain before adopting a social media policy.12 Secondary picketing issues may arise if mass emails soliciting membership or support are sent to employees or if employees use email to put economic pressure on a secondary employer to stop doing business with a primary employer.
10. Should employers have an acceptable use policy and what should it contain?
Employers should not only have a comprehensive acceptable use policy, but also make sure that employees are aware of its contents and that it is enforced. The policy should cover everything relating to work computer use, company-provided cell phone use, the use of company trademarks or other intellectual property, and the disclosure of confidential information and trade secrets.
Employees should be prohibited from:
Exposing confidential information and trade secrets.
Using company trademarks inappropriately or without authorization.
Referring to company clients, customers, or partners online without permission.
Making discriminatory statements or sexual innuendo towards other employees, customers, or anyone else associated with the employer (see #2).
Making defamatory or derogatory statements about other employees, customers, or anyone else associated with the employer.
Communicating about or endorsing company products or services without the employer’s consent and a disclosure of the employment relationship (see #6).
Engaging in illegal conduct using company software or equipment.
Accessing personal or inappropriate websites while at work.
Posting copyrighted content on the company’s website.
Posting a recommendation or informal review of a subordinate.
Employees should be warned:
That all work email and computer use may be monitored.
That employee social media use will be monitored, whether while on the job or off-duty.
That professionalism is expected in all postings and publications on behalf of the company (see #6).
If material must be reviewed before being posted to the company website.
What kinds of disciplinary action may be taken if the policy is violated.
Employees should be required to:
Provide all passwords to work-related accounts to management.
Comply with the Terms of Service of social networking sites.
Report any communications they find that violate the policy.
Notes: Case Law
1. Fraser v. Nationwide Mutual Ins. Co., 352 F.3d 107 (3d Circ. 2003): The employer did not improperly intercept an employee’s work-related emails under the Electronic Privacy Communications Act because they were in post-transmission storage.
2. Doe v. XYC Corp., 382 N.J. Super. 122, 887 A.2d 156 (App. Div. 2005): An employer has a duty to investigate the employee’s activity if it is on notice that an employee is using a work computer to access pornography, potentially including child pornography.
3. U.S. v. Butler, 151 F. Supp. 2d 82 (D. Me. 2001): There was no reasonable expectation of privacy in a student’s use of a computer that was part of a university network system.
Garrity v. John Hancock Mutual Life Ins. Co., 2002 WL 974676 (D. Mass. 2002): Marking folders as personal did not create a reasonable expectation of privacy for employee.
United Sates v. Hassoun, 2007 W.L. 141151 (S.D. Fla. 2007): The employee had no reasonable expectation of privacy in his office computer based on the employer’s written policies.
4. Stengart v. Loving Care Agency Inc., 201 N.J. 300, 990 A.2d 650 (N.J. 2010): An employer cannot violate statutory privileges in accessing emails, such as attorney client privilege, even when company policy states that there is no privacy in emails accessed on a work computer.
5. Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009): Restaurant managers who obtained the password to a an invite-only MySpace gripe group from an employee (who claimed to be under duress) and knowingly accessed the MySpace group without authorization violated the SCA and the New Jersey Wiretapping and Electronic Surveillance Control Act.
VanAlstyne v. Elec. Scriptorium Ltd., 560 F.3d 199, 28 IER Cases 1441 (4th Cir. 2009): Punitive damages were awarded under the SCA without a showing of actual damages when an employer accessed an employee’s personal email account after she left the company without the employee’s authorization.
Philadelphia Bar Ass’n Professional Guidance Comm’ee Opn. 2009-02 (March 2009): An advisory opinion issued by the Philadelphia Bar Association’s Professional Guidance Committee concluded that asking another person to contact a witness on a social media site in order to gain access to the information on their personal profiles would violate attorney ethical prohibitions against misconduct and requirements for truthfulness in statements to others.
6. Marshall v. Mayor and Alderman of City of Savannah, 2010 WL 537852 (11th Cir. 2010): An employee who posted photographs of other employees obtained from the employer’s website alongside scantily clad pictures of herself on MySpace was reprimanded and then terminated after denying she was violating her employer’s policy. The 11th Circuit found her postings were not protected by the First Amendment and that because male employees were not treated differently, she was not fired solely for her social media postings.
7. Calandriello v. Tennessee Processing Center, LLC, 2009 WL 5170193 (M.D. Tenn. 2009): No discrimination was found when a bipolar employee was terminated for loss of confidence after he admitted to accessing violent websites that included news about serial killers on his work computer and altering a company inspirational poster with a photograph of Charles Manson, despite the employee’s claims that his use of the Internet did not violate company policy because other employees often surfed the Internet.
Cervantez v. KMGP Services Co. Inc, 349 Fed. Appx. 4 (5th Circ. 2009): Violation of the employer’s computer use policy by accessing pornographic sites was a legitimate reason for discharging the employee. The Court also noted that even if the logs produced by the employer were inconsistent, summary judgment was still appropriate since actual innocence is irrelevant if the employer reasonably believed the reason for termination and acted in good faith.
Pacenza v. IBM Corp., 2010 WL 346810 (2nd Circ. 2010): When an employee with post-traumatic stress disorder was fired for violating company policies by accessing sexual materials on the Internet while at work, his termination was legitimate because there was no showing that he was singled out or treated more harshly than similarly situated non-disabled employees.
8. Ramos v. Madison Square Garden Corp, 257 A.D.2d 492 (1st Dept. 1999): An employer’s request for an injunction against an employee’s defamatory statements was refused because granting relief in the form of prior restraint is undesirable and damages after the publication of the states is an adequate remedy at law.
Aguilar v. Avis Rent-A-Car System, Inc., 21 Cal. 4th 121 (1999): A limited injunction was granted that prohibited racial epithets in the workplace.
Varian Med. Sys., Inc. v. Delfino, 113 Cal. App. 4th 272 (2003): An employer may terminate an employee for posting derogatory comments about the company and company executives.
9. Doe v. MySpace, Inc., 474 F. Supp. 2d 843 (W. D. Tex. 2007): MySpace could not be held liable on a negligence claim by the victim of sexual abuse by an online predator who contacted the victim through the service.
Shiamili v. The Real Estate Group of New York, Inc., 2011 NY Slip Op 05111 (2011): A website that took an anonymous comment by a third party, moved it to a stand-alone blog post, and added non-defamatory content was not held liable for the original comment’s allegedly defamatory content.
10. Ford Motor Co. v. Lane, 67 F. Supp. 2d 745 (E.D. Mich. 1999): Enjoining an employee from posting allegedly misappropriated trade secrets and copyrighted material would violate the First Amendment as a prior restraint.
11. Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Circ. 2002): When an employee claimed he was wrongly disciplined and was critical of labor concessions on his blog, the blog content was considered protected union activity and lacked the actual malice needed to make it defamatory.
State of Minn., 117 Lab. Arb. Rep. (BNA) 1569 (2002): Allowed an extensive investigation of chain of pornographic emails and related computer use based on an employee’s complaint that she saw a nude woman on co-worker's computer screen.
12. Kuhlman Elec. Corp., 123 Lab. Arb. Rep. (BNA) 257, 262 (2006): A new policy on use of computers and the Internet was not contrary to the collective bargaining agreement and did not materially, substantially, and significantly affect the terms and conditions of employment.
California Newspaper Partnerships, 350 N.L.R.B. No. 89 (Sept. 10, 2007): An employer must bargain with the union over a policy forbidding use of email accounts to send messages about union affairs.