Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In his veto statement, Governor Christie acknowledged the bill’s positive objective, i.e., to protect employees and applicants “from overly aggressive invasions by employers.” At the same time, he criticized the bill as overly broad, presenting employers and interviewers with a high risk of lawsuits. In the governor’s words: “Those privacy concerns, however, must be balanced against an employer’s need to hire appropriate personnel, manage its operations, and safeguard its business assets and proprietary information. Unfortunately, this bill paints with too broad a brush.”

Governor Christie noted, for example, that as currently drafted, the bill would prohibit an employer interviewing an applicant for a marketing position from asking about the applicant’s use of social media so that the employer could gauge the applicant’s technological skills and media savvy. “Such a relevant and innocuous inquiry would, under this bill, subject an employer to protracted litigation, compensatory damages, and attorneys’ fees — a result that could not have been the sponsors’ intent," the governor said. Additionally, the governor stated:

"In view of the over-breadth of this well-intentioned bill, I return it with my recommendations that it be more properly balanced between protecting the privacy of employees and job candidates, while ensuring that employers may appropriately screen job candidates, manage their personnel, and protect their business assets and proprietary information."

Governor Christie recommended eliminating the private right of action and replacing it with potential penalties and a fine from the New Jersey Department of Labor and Workforce Development.

However, as noted in a previous entry, the original bill passed 75-2 in the General Assembly, so if the legislature wants to ignore the governor and pass the bill as-is, it likely can because only a two-thirds majority is needed to override the veto. As of May 7, 2013, the legislature had asked for two readings of the veto message and proposed changes, thereby signaling that perhaps it intends to seriously consider the governor’s well-founded concerns.

Subsequently, the California legislature, often hostile to employer interests, amended its then-pending bill to adopt a more balanced and reasonable approach. The approved bill does generally prohibit employers from requesting or requiring that employees or applicants (a) disclose their user name or password to gain access to personal social media content; (b) access their personal social media in the employer’s presence, i.e., permit “shoulder surfing;” or (c) divulge any personal social media, which apparently would bar an employer from asking an employee to provide the personal social media content of a co-worker who is a Facebook friend. At the same time, however, the pending law permits employers to request that “an employee divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

While this exception is a vast improvement over the Illinois and Maryland laws, California employers should beware that the exception does not open the door all the way. To begin with, the exception does not apply to job applicants. Thus, even if a current employee were to report seeing racist or threatening content on a job applicant’s restricted access social media site, a California employer still could not gain access to the troublesome social media content unless the reporting employee voluntary provided it. In addition, employers remain barred from asking current employees to disclose their social media log-in credentials or to permit the employer to “shoulder surf.” Nevertheless, the exception does permit California employers to ask a co-worker to provide content from the personal social media site of an employee suspected of misconduct.

California employers also should note that the California law, like the Illinois and Maryland laws, appears to have an unintended and unsupportable consequence in the context of litigation. These statutes impose no restriction on an employer’s ability to request in civil discovery that a former employee produce personal social media, log-in credentials; however, all three statutes bar such requests in litigation with a current employee. Obtaining log-in credentials can be important in employment litigation so that employers’ counsel can confirm that the current or former employee has produced all discoverable information posted on his or her restricted-access social media page.

California’s pending password protection law has another unusual twist. The bill expressly relieves California’s Labor Commissioner from having to investigate complaints that the law has been violated, whereas the Labor Commissioner is required to investigate certain other violations of the Labor Code. The pending law itself also does not create a private right of action. Consequently, it remains unclear what remedies an employee could pursue were the Labor Commissioner to decline to investigate.

Employers should expect other states to enact this form of popular legislation. If the password protection laws that are on the horizon are to follow California’s more balanced approach rather than the draconian Illinois law, employers and employer groups will need to highlight the critical distinctions between the two laws through participation in the legislative process.

Photo credit: Asilvero

In sum, at least as far as private employers are concerned, there is no proven need for password protection laws. Both the available anecdotal and empirical evidence, albeit limited, compel the conclusion that private employers are not asking applicants or employees for personal social media log-in credentials.

Social Media “Password Protection” Legislation Radically Rewrites the Common Law of Privacy

The one password protection bill that has been enacted, in Maryland, as well as the password protection legislation pending in eleven states — California, Delaware, Illinois, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington — and in Congress, generally prohibit employers from requesting or requiring that employees or applicants provide the log-in credentials for a personal social media account. The underlying premise of these bills is that an employer invades an applicant’s or employee’s privacy by viewing content on a restricted access social media account without the voluntary consent of the account holder. Digging one step deeper, these bills, at their core, are saying that the content of a restricted access social media account is private no matter how many people the user invites to view that content and regardless of the relationship between the user and the viewer. Put more plainly, these bills declare, for example, that a Facebook user who has more than 500 “friends,” including current and former supervisors and other executives at his current employer, can establish the “privacy” of his content by using Facebook’s privacy settings to restrict access to “Friends Only.”

No court has ever construed the tort of invasion of privacy by intrusion upon seclusion so broadly. That tort requires, in the first instance, a “private fact” which can be the subject of an intrusion. The vast majority of courts have held that, if the fact that is the subject of the claim has been disclosed to even a small number of people not under a legal or contractual obligation of confidentiality, the fact is not private and the intrusion upon seclusion claim fails.² To be sure, a small number of cases have permitted an intrusion upon seclusion claim to proceed even though the plaintiff had shared the private fact with others. However, in virtually all of these cases, the private fact was shared within a group that had a very specific relationship with the plaintiff, such as co-workers or participants in an in vitro fertilization program.³ We are not aware of any case holding that facts disclosed to dozens or hundreds of people who do not form a cohesive group are private from a private employer, especially when that group includes management-level employees of the employer who is the defendant on the privacy claim. In sum, the password protection laws create a “ring of privacy” with a circumference that is far larger than any court has recognized to date.

Notably, the one reported case where a jury considered whether an employer committed an intrusion upon seclusion by accessing two employees’ restricted-access social media site resulted in a verdict on that claim for the employer. In that case, Pietrylo v. Hillstone Restaurant Group, a group of employees at a Houston’s restaurant (the chain owned by the Hillstone Restaurant Group) established an invitation-only, password-protected MySpace page.⁴ In the words of the site’s founder, the page would permit group members to “vent about any BS we deal with [at] work without any outside eyes spying in on us.” The founder emphasized in his first post that “[t]his group is entirely private.” Houston’s accessed the site after a group member shared her log-in credentials with management. After viewing the venting about the company, management, and customers, the restaurant fired the site’s founder and another group member. Both responded by suing Hillstone for, among other claims, violating the federal Stored Communications Act (the “SCA”) and common law invasion of privacy.

While the jury’s verdict for the fired employees on their SCA claim has received substantial press and academic attention, the jury’s verdict for Hillstone on the invasion of privacy claim seems to have been lost in the shuffle. The jury’s verdict form reveals the jury rejected that claim based on its finding that the fired employees did not have a reasonable expectation of privacy in the content they posted on their site. The jury reached this conclusion despite the password protection, despite the invitation-only rule, and despite the founder’s pronouncement that the site was “entirely private.” A fair inference is that the jurors believed the fired employees could not reasonably expect privacy in content that was available to numerous group members and that could be further disclosed by any group member to anyone, including journalists, without restriction.

Legislators, of course, are free to create a public policy that overturns decades of common law jurisprudence, particularly when necessary to address new technology not yet considered by common law courts. However, the validity of a new public policy should be closely scrutinized when there is no apparent need for it, it is so broad that it leads to absurd results, and, as explained below, it potentially exposes all private employers to substantial liability.

Social Media Password Protection Legislation Exposes Private Employers to Liability

Legislators appear to have been so swept up by the media frenzy over the perceived, but unproven, injustice of private employers asking for personal social media log-in credentials that they drafted legislation with little consideration of employers’ legitimate interests. To illustrate the point, virtually all of the pending password protection bills applicable to private employers prohibit requests for personal, social media log-in credentials without exception. In other words, these bills effectively find that private employers never have a legitimate business reason to require, or even request, such log-in credentials.

Notably, the one state which has actually enacted a password protection law recognized that a blanket prohibition is unjustified. Under Maryland’s password protection law, an employer can ask for personal social media log-in credentials when needed to investigate securities law violations or a misappropriation of trade secrets. Delaware’s pending bill, alone among the pending bills, carves out an exception for securities-related investigations.

These exceptions, however, are unjustifiably narrow. There is no reasoned basis for distinguishing between investigations into securities fraud or misappropriation of trade secrets and those into other forms of unlawful or even criminal conduct. To illustrate the point, in all states, including Maryland, an employer could not fully investigate potential workplace violence. The password protection legislation would prevent an employer from going to the source if an employee were to report that a co-worker had posted on his restricted-access social media account the following: “I’m so angry I want to kill my boss” or “I hate work. I’m gonna blow the place up.” Thus, the employer would lose the benefit of critical information, such as the context of the post and other indicia of the seriousness of the threat revealed by the actual content.

It is unclear whether the survivors of murdered employees could hold the employer legally responsible in this scenario for failing to investigate the incident adequately, but no one wants to see a test case. Critically, these examples are not hypothetical hyperbole. According to one of the foremost experts in the field of workplace violence, James Turner, Ph.D., president of the International Assessment Services and one of the foremost experts in the field of workplace violence, it is not uncommon for those planning to commit murder to provide clues to their homicidal intent in Internet postings before they pull the trigger. For example, a gunman wrote a series of posts to an online bulletin board, the last of which stated “It’s time,” before murdering seven people in a Tokyo shopping mall.⁵ Another gunman posted “I wonder if I’d make the six o’clock news if I just starting popping people off” before killing three guards and wounding a fourth on the University of Alberta campus.⁶

The password protection bills, as currently drafted, as well as the Maryland law, also thwart investigations into workplace harassment. It would be naïve to believe that the bullying which used to happen on the shop floor or in the break room has not moved to social media. Indeed, the California Court of Appeals recently affirmed a jury’s verdict holding an employer responsible for its employees’ bullying of a co-worker with a disfigured hand. The court relied heavily on co-workers’ scathing blog posts that referred to the employee as “The Claw” and ruthlessly ridiculed him because of his disability.⁷ In the California case, the employee was able to discover and report the bullying to his employer because the blog posts were public. Password protection laws, however, would throw a cloak of secrecy around this type of illegal conduct when conducted through a restricted-access social media account.

As with the workplace violence scenario, it is unclear whether an employer could be held responsible for work-related harassment that is inaccessible to the employer. The plaintiffs’ bar can be expected to try. Putting aside legal liability, workplace harassment and threats of workplace violence that are visible to co-workers, but invisible to the employer, will have intangible costs for the workplace, such as undercutting employee morale, causing tension among co-workers, and distracting employees from their work. Given the absence of any proof that private employers are asking for social media log-in credentials, there is no justification for legislatures to impose on employers those costs or the potential liability arising from an inadequate investigation of employees’ unlawful work-related social media conduct.

While the risks arguably are not as serious, the application process still can present situations where an employer justifiably seeks access to content posted on a restricted-access social media account. For example, if a current employee were to inform her human resources manager that she has seen content on an applicant’s “friends-only” Facebook page that raises serious questions about the applicant’s suitability for employment with the employer, the employer should be able to gain access to that information whether by asking the applicant or the employee for log-in credentials, for permission to “shoulder surf,” or for a hard copy or screen shot of the content in question. While the phrasing of the Maryland law and the pending password protection bills is somewhat ambiguous, they all appear to put the applicant’s social media content completely off-limits, regardless of which of these methods the employer wishes to use. Given the substantial disruption and cost to private employers of a “bad hire,” they should not be completely foreclosed from this source of information, particularly given that a host of laws — such as Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Age Discrimination in Employment Act, and the Genetic Information Non-Discrimination Act of 2008 — already substantially restrict an employer’s ability to use social media content for employment decisions.

Conclusion

State and federal legislators should recognize that they may have “jumped the gun” by relying on hype rather than facts in their hurried attempt to get ahead of a public outcry. At this point, there is no empirical data suggesting that private employers are routinely or even occasionally requesting or requiring personal social media log-in credentials. Consequently, it is not necessary to enact legislation that would radically expand the definition of “privacy” and substantially impede employers’ ability to investigate potentially unlawful and even criminal conduct.

¹ Littler Mendelson Executive Employer Survey Report (June 2012), available at http://www.littler.com/content/littler-mendelson-executive-employer-survey-report-2012.

² See, e.g., Duran v. Detroit News, Inc., 200 Mich. App. 622 (1993) (intrusion claims failed because the information defendants obtained was either available via public record or had been disclosed by plaintiffs such that it was “open to the public eye”); Fletcher v. Price Chopper Foods of Trumann, Inc., 220 F.3d 871, 877-78 (8th Cir. 2000) (intrusion claim failed where plaintiff asserted a privacy interest in the medical fact that she had a staph virus at the time of her employment termination because plaintiff revealed this information to her co-workers); cf. Nader v. Gen. Motors Corp., 25 N.Y.2d 560, 568-69 (1970) (intrusion claim was unsupported by allegations that defendants interviewed people who knew plaintiff and thereby obtained information of a private nature because plaintiff assumed the risk that those he confided in may breach that confidence; plaintiff’s claim was supported on other grounds such as unauthorized wiretapping).

³ See, e.g., Sanders v. Amer. Broadcasting Cos., 20 Cal. 4th 907 (1999) (even though the plaintiff’s conversation could be seen and overheard by co-workers, plaintiff’s intrusion claim could proceed where media reporter covertly taped plaintiff’s conversation). Cf. Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488, 502 (Mo. Ct. App. 1990) (plaintiffs use of in vitro fertilization was a private matter even though they attended a social function for participants in the hospital’s in vitro fertilization program).

⁴ Pietrylo v. Hillstone Rest. Group, No. 2:06-cv-05754-FSH-PS (D.N.J. 2008).

⁵ Norimitsu Onishi, Man who killed 7 in Tokyo left online warnings, N.Y. TIMES (June 9, 2008), http://www.nytimes.com/2008/06/09/world/asia/09iht-09tokyo.13575210.html.

⁶ Michelle McQuigge, Chilling Facebook comment preceding armed guard murders stokes employee online privacy debate, THE CANADIAN PRESS (June 23, 2012), http://news.nationalpost.com/2012/06/23/chilling-facebook-comment-preceding-armed-guard-murders-stokes-employee-online-privacy-debate/.

⁷ Espinoza v. County of Orange, No. G043067 (consol. with G043345) (Cal. Ct. App. 2012).

Despite the absence of a proven need, the Illinois bill imposes apparently broad restrictions on employers. The bill prohibits an employer from “request[ing] or require[ing] any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.” The bill also forbids employers from “demand[ing] access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”

While the first prohibition is clear enough, the scope of the second is ambiguous. The second prohibition appears to be aimed at “shoulder surfing,” i.e., an employer’s asking an applicant or employee to log into a social networking site without revealing log-in credentials so that the employer can review the site. Similarly, this prohibition appears to reach an employer’s asking an employee or applicant to print a hard copy of his or her own social networking site or to e-mail screen shots of that site to the employer. Assuming this prohibition is intended to reach such conduct, it remains unclear whether the prohibition applies only to content posted on the applicant’s or employee’s own social networking site or extends to the restricted social networking sites of co-workers who are not the subject of the request.

To put the ambiguity into sharper focus, consider the following scenario. An employee reports to his human resources manager that a co-worker, who is a Facebook friend, has commented on his own wall, which is restricted to “Friends Only,” that he is so angry at the company he could “blow the place up.” The Illinois law appears to prohibit the HR manager from asking the reporting employee to permit the HR manager to view the posting co-worker’s post on the reporting employee’s own newsfeed and from asking the reporting employee to print a hard copy of the post or to e-mail a screen shot of the post to the HR manager. The Illinois law also appears to prohibit the HR manager from asking the posting co-worker for access to his social networking site so the HR manager can investigate the reporting employee’s allegation. However, it is unclear whether the Illinois law would prohibit the HR manager from asking the reporting employee, without disclosing his own log-in credentials or any information on his own news feed, to access the posting co-worker’s “Friends Only” Facebook wall so the HR manager could corroborate and further investigate the allegation.

While this point, at first blush, may appear to be hair splitting, it is critical for employers because the Illinois law contains no exception for legitimate workplace investigations. In fact, the Illinois law contains no exceptions at all to its general prohibitions. Instead, the law merely emphasizes that it is not intended to restrict an employer’s right to promulgate policies regulating use of the employer’s own electronic resources or from monitoring usage of the employer’s own electronic resources, including e-mail. The bill also expressly states that it does not apply to “information that is in the public domain,” i.e., social networking sites for which the account holder has not used privacy settings to restrict access. However, this limitation provides little aid to employers as applicants and employees increasingly activate privacy settings to restrict access to their social media accounts. In sum, the Illinois law shuts off most, if not all, access by employers to a potentially important source of information when conducting legitimate investigations into misconduct related to work, such as workplace violence, unlawful harassment, and misappropriation of trade secrets.

The absence of any exceptions to the general prohibition in the Illinois bill highlights another challenge for employers raised by this new genre of workplace regulation. The Maryland law contains exceptions for investigations of suspected securities fraud violations and suspected misappropriation of trade secrets. While these exceptions themselves are overly narrow, their absence from the Illinois bill suggest that the states are beginning to weave yet another inconsistent patchwork of laws that will further complicate for employers the already daunting challenge of regulating new technology in the workplace.