Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In sum, at least as far as private employers are concerned, there is no proven need for password protection laws. Both the available anecdotal and empirical evidence, albeit limited, compel the conclusion that private employers are not asking applicants or employees for personal social media log-in credentials.

Social Media “Password Protection” Legislation Radically Rewrites the Common Law of Privacy

The one password protection bill that has been enacted, in Maryland, as well as the password protection legislation pending in eleven states — California, Delaware, Illinois, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington — and in Congress, generally prohibit employers from requesting or requiring that employees or applicants provide the log-in credentials for a personal social media account. The underlying premise of these bills is that an employer invades an applicant’s or employee’s privacy by viewing content on a restricted access social media account without the voluntary consent of the account holder. Digging one step deeper, these bills, at their core, are saying that the content of a restricted access social media account is private no matter how many people the user invites to view that content and regardless of the relationship between the user and the viewer. Put more plainly, these bills declare, for example, that a Facebook user who has more than 500 “friends,” including current and former supervisors and other executives at his current employer, can establish the “privacy” of his content by using Facebook’s privacy settings to restrict access to “Friends Only.”

No court has ever construed the tort of invasion of privacy by intrusion upon seclusion so broadly. That tort requires, in the first instance, a “private fact” which can be the subject of an intrusion. The vast majority of courts have held that, if the fact that is the subject of the claim has been disclosed to even a small number of people not under a legal or contractual obligation of confidentiality, the fact is not private and the intrusion upon seclusion claim fails.² To be sure, a small number of cases have permitted an intrusion upon seclusion claim to proceed even though the plaintiff had shared the private fact with others. However, in virtually all of these cases, the private fact was shared within a group that had a very specific relationship with the plaintiff, such as co-workers or participants in an in vitro fertilization program.³ We are not aware of any case holding that facts disclosed to dozens or hundreds of people who do not form a cohesive group are private from a private employer, especially when that group includes management-level employees of the employer who is the defendant on the privacy claim. In sum, the password protection laws create a “ring of privacy” with a circumference that is far larger than any court has recognized to date.

Notably, the one reported case where a jury considered whether an employer committed an intrusion upon seclusion by accessing two employees’ restricted-access social media site resulted in a verdict on that claim for the employer. In that case, Pietrylo v. Hillstone Restaurant Group, a group of employees at a Houston’s restaurant (the chain owned by the Hillstone Restaurant Group) established an invitation-only, password-protected MySpace page.⁴ In the words of the site’s founder, the page would permit group members to “vent about any BS we deal with [at] work without any outside eyes spying in on us.” The founder emphasized in his first post that “[t]his group is entirely private.” Houston’s accessed the site after a group member shared her log-in credentials with management. After viewing the venting about the company, management, and customers, the restaurant fired the site’s founder and another group member. Both responded by suing Hillstone for, among other claims, violating the federal Stored Communications Act (the “SCA”) and common law invasion of privacy.

While the jury’s verdict for the fired employees on their SCA claim has received substantial press and academic attention, the jury’s verdict for Hillstone on the invasion of privacy claim seems to have been lost in the shuffle. The jury’s verdict form reveals the jury rejected that claim based on its finding that the fired employees did not have a reasonable expectation of privacy in the content they posted on their site. The jury reached this conclusion despite the password protection, despite the invitation-only rule, and despite the founder’s pronouncement that the site was “entirely private.” A fair inference is that the jurors believed the fired employees could not reasonably expect privacy in content that was available to numerous group members and that could be further disclosed by any group member to anyone, including journalists, without restriction.

Legislators, of course, are free to create a public policy that overturns decades of common law jurisprudence, particularly when necessary to address new technology not yet considered by common law courts. However, the validity of a new public policy should be closely scrutinized when there is no apparent need for it, it is so broad that it leads to absurd results, and, as explained below, it potentially exposes all private employers to substantial liability.

Social Media Password Protection Legislation Exposes Private Employers to Liability

Legislators appear to have been so swept up by the media frenzy over the perceived, but unproven, injustice of private employers asking for personal social media log-in credentials that they drafted legislation with little consideration of employers’ legitimate interests. To illustrate the point, virtually all of the pending password protection bills applicable to private employers prohibit requests for personal, social media log-in credentials without exception. In other words, these bills effectively find that private employers never have a legitimate business reason to require, or even request, such log-in credentials.

Notably, the one state which has actually enacted a password protection law recognized that a blanket prohibition is unjustified. Under Maryland’s password protection law, an employer can ask for personal social media log-in credentials when needed to investigate securities law violations or a misappropriation of trade secrets. Delaware’s pending bill, alone among the pending bills, carves out an exception for securities-related investigations.

These exceptions, however, are unjustifiably narrow. There is no reasoned basis for distinguishing between investigations into securities fraud or misappropriation of trade secrets and those into other forms of unlawful or even criminal conduct. To illustrate the point, in all states, including Maryland, an employer could not fully investigate potential workplace violence. The password protection legislation would prevent an employer from going to the source if an employee were to report that a co-worker had posted on his restricted-access social media account the following: “I’m so angry I want to kill my boss” or “I hate work. I’m gonna blow the place up.” Thus, the employer would lose the benefit of critical information, such as the context of the post and other indicia of the seriousness of the threat revealed by the actual content.

It is unclear whether the survivors of murdered employees could hold the employer legally responsible in this scenario for failing to investigate the incident adequately, but no one wants to see a test case. Critically, these examples are not hypothetical hyperbole. According to one of the foremost experts in the field of workplace violence, James Turner, Ph.D., president of the International Assessment Services and one of the foremost experts in the field of workplace violence, it is not uncommon for those planning to commit murder to provide clues to their homicidal intent in Internet postings before they pull the trigger. For example, a gunman wrote a series of posts to an online bulletin board, the last of which stated “It’s time,” before murdering seven people in a Tokyo shopping mall.⁵ Another gunman posted “I wonder if I’d make the six o’clock news if I just starting popping people off” before killing three guards and wounding a fourth on the University of Alberta campus.⁶

The password protection bills, as currently drafted, as well as the Maryland law, also thwart investigations into workplace harassment. It would be naïve to believe that the bullying which used to happen on the shop floor or in the break room has not moved to social media. Indeed, the California Court of Appeals recently affirmed a jury’s verdict holding an employer responsible for its employees’ bullying of a co-worker with a disfigured hand. The court relied heavily on co-workers’ scathing blog posts that referred to the employee as “The Claw” and ruthlessly ridiculed him because of his disability.⁷ In the California case, the employee was able to discover and report the bullying to his employer because the blog posts were public. Password protection laws, however, would throw a cloak of secrecy around this type of illegal conduct when conducted through a restricted-access social media account.

As with the workplace violence scenario, it is unclear whether an employer could be held responsible for work-related harassment that is inaccessible to the employer. The plaintiffs’ bar can be expected to try. Putting aside legal liability, workplace harassment and threats of workplace violence that are visible to co-workers, but invisible to the employer, will have intangible costs for the workplace, such as undercutting employee morale, causing tension among co-workers, and distracting employees from their work. Given the absence of any proof that private employers are asking for social media log-in credentials, there is no justification for legislatures to impose on employers those costs or the potential liability arising from an inadequate investigation of employees’ unlawful work-related social media conduct.

While the risks arguably are not as serious, the application process still can present situations where an employer justifiably seeks access to content posted on a restricted-access social media account. For example, if a current employee were to inform her human resources manager that she has seen content on an applicant’s “friends-only” Facebook page that raises serious questions about the applicant’s suitability for employment with the employer, the employer should be able to gain access to that information whether by asking the applicant or the employee for log-in credentials, for permission to “shoulder surf,” or for a hard copy or screen shot of the content in question. While the phrasing of the Maryland law and the pending password protection bills is somewhat ambiguous, they all appear to put the applicant’s social media content completely off-limits, regardless of which of these methods the employer wishes to use. Given the substantial disruption and cost to private employers of a “bad hire,” they should not be completely foreclosed from this source of information, particularly given that a host of laws — such as Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Age Discrimination in Employment Act, and the Genetic Information Non-Discrimination Act of 2008 — already substantially restrict an employer’s ability to use social media content for employment decisions.

Conclusion

State and federal legislators should recognize that they may have “jumped the gun” by relying on hype rather than facts in their hurried attempt to get ahead of a public outcry. At this point, there is no empirical data suggesting that private employers are routinely or even occasionally requesting or requiring personal social media log-in credentials. Consequently, it is not necessary to enact legislation that would radically expand the definition of “privacy” and substantially impede employers’ ability to investigate potentially unlawful and even criminal conduct.

¹ Littler Mendelson Executive Employer Survey Report (June 2012), available at http://www.littler.com/content/littler-mendelson-executive-employer-survey-report-2012.

² See, e.g., Duran v. Detroit News, Inc., 200 Mich. App. 622 (1993) (intrusion claims failed because the information defendants obtained was either available via public record or had been disclosed by plaintiffs such that it was “open to the public eye”); Fletcher v. Price Chopper Foods of Trumann, Inc., 220 F.3d 871, 877-78 (8th Cir. 2000) (intrusion claim failed where plaintiff asserted a privacy interest in the medical fact that she had a staph virus at the time of her employment termination because plaintiff revealed this information to her co-workers); cf. Nader v. Gen. Motors Corp., 25 N.Y.2d 560, 568-69 (1970) (intrusion claim was unsupported by allegations that defendants interviewed people who knew plaintiff and thereby obtained information of a private nature because plaintiff assumed the risk that those he confided in may breach that confidence; plaintiff’s claim was supported on other grounds such as unauthorized wiretapping).

³ See, e.g., Sanders v. Amer. Broadcasting Cos., 20 Cal. 4th 907 (1999) (even though the plaintiff’s conversation could be seen and overheard by co-workers, plaintiff’s intrusion claim could proceed where media reporter covertly taped plaintiff’s conversation). Cf. Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488, 502 (Mo. Ct. App. 1990) (plaintiffs use of in vitro fertilization was a private matter even though they attended a social function for participants in the hospital’s in vitro fertilization program).

⁴ Pietrylo v. Hillstone Rest. Group, No. 2:06-cv-05754-FSH-PS (D.N.J. 2008).

⁵ Norimitsu Onishi, Man who killed 7 in Tokyo left online warnings, N.Y. TIMES (June 9, 2008), http://www.nytimes.com/2008/06/09/world/asia/09iht-09tokyo.13575210.html.

⁶ Michelle McQuigge, Chilling Facebook comment preceding armed guard murders stokes employee online privacy debate, THE CANADIAN PRESS (June 23, 2012), http://news.nationalpost.com/2012/06/23/chilling-facebook-comment-preceding-armed-guard-murders-stokes-employee-online-privacy-debate/.

⁷ Espinoza v. County of Orange, No. G043067 (consol. with G043345) (Cal. Ct. App. 2012).

To address privacy issues, the FTC has focused on two regulatory models:

• The notice-and-choice mode “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices.” (Report at iii.)
• The harm-based model “focuses on protecting consumers from specific harms – physical security, economic injury, and unwanted intrusions into their daily lives.” (Id.)

Rather than advocating abandonment of these approaches, the report notes the drawbacks of each one: the notice-and-choice model has led to lengthy privacy policies that are neither read nor understood by consumers; the harm-based model has failed to adequately protect privacy interests that cannot be easily measured in monetary terms, such as reputational harm and the fear of being subjected to unwanted tracking in cyberspace. (Id.) Further, technological advancements have challenged both models:

• Companies can collect, store, manipulate and share consumer data at minimal cost.
• Companies can collect and use consumers’ information in ways that often are invisible to consumers.
• The distinctions between personally identifiable information and non-personally identifiable information has become blurred. Customers are very interested in strong privacy protections. At the same time, however, the free flow of information is critical to providing the goods and services.
   

The report proposes an alternative, three-part framework for future privacy regulation by the FTC:

1. Privacy by Design, an approach in which companies would promote consumer privacy throughout their organizations and at every stage of the development of their products and services. They would build into their everyday practices privacy protections, such as reasonable security for consumer data, collection of only the data needed for a specific business purpose, retention of data only as long as necessary to fulfill that purpose, safe disposal of data no longer being used, and implementation of reasonable procedures to promote data accuracy. (Report at v.) This approach also would include the assignment of privacy officers, privacy training, and internal privacy reviews when new products and services are developed.
2. Simplified Consumer Choices. Companies would not need to provide choices to consumers before collecting and using their data for commonly accepted practices such as purchase order fulfillment. But for practices that would result in a material change from a customer’s expected use of personal data, companies would offer the choice at a time and in a context in which the consumer made a decision about providing and authorizing the use of his or her data.
3. Greater Transparency in Data Practices. Companies would clarify, shorten and standardize privacy notices, provide reasonable access to the personal data they maintain about a person based on the sensitivity of the kind of data and the nature of its use; provide prominent disclosures; and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
    

Whether the FTC will adopt the framework outlined in the preliminary staff report after the public comment period ends on January 31, 2011, is unclear. But if the report is adopted, it likely will be over objection. Two of the five Commissioners issued concurring written statements to the report in which they questioned whether a new or modified model is necessary or desirable.

If the report is adopted, employers would need to consider the following implications:

• Increased Need for Privacy Training for All Employees. “Privacy by design” entails efforts at every level of a business to protect the private information of consumers during the entire data life cycle, from collection to use to transfer to storage to destruction. The population of employees who should receive privacy training likely will expand materially.
• Institution of Privacy Reviews During Product and Service Development. Another implication of “privacy by design” is the need to scrutinize privacy issues during the service- or product-development process. That would necessarily require a broader group of employees with expertise in the area of privacy than most organizations currently have.
• Increased Need for Employee Sensitivity to Private Customer Information at Key Points in Business Transactions. The FTC’s new framework would require a business to give customers “just in time” choices about whether and how to use sensitive data. Automated notices and prompts would help solve some of these issues in online transactions. But with respect to phone or face-to-face transactions, employees would have to be vigilant to both identify those key decision points in business transactions and then respond appropriately.

This entry was written by Christopher M. Leh.

The New Jersey Supreme Court ruled that Reid had a reasonable expectation of privacy in the subscriber information that Comcast turned over to the local police. The Court reasoned that Internet use is integral to daily life and reveals substantial information about an individual’s private life, making ISP subscriber information similar to telephone billing records and bank records. Because New Jersey’s Constitution recognizes a reasonable expectation of privacy in both of those categories of records, ISP subscriber information also should be constitutionally protected. Given this constitutional protection, ISP subscriber information may be produced to law enforcement only in response to a grand jury subpoena. The Court, therefore, affirmed the suppression of Reid’s ISP subscriber information because Comcast had produced it in response to a municipal subpoena.

Jersey Diesel’s situation has become all too common for employers. Employees and former employees, hiding behind the anonymity offered by the Internet, are damaging their employers by posting defamatory or confidential information on the Internet or by engaging in more injurious conduct, such as that alleged against Reid. Like Jersey Diesel, employers typically receive a frosty reception when trying to obtain subscriber information from ISPs. After the Reid decision, ISPs almost surely will refuse to voluntarily disclose any information about New Jersey subscribers out of fear of being sued for invasion of privacy. Although the New Jersey Supreme Court’s decision applies only in New Jersey, employers can expect the decision to have a broader impact.

Notably, the New Jersey Supreme Court expressly refused to address the standard for issuing a civil subpoena that requires an ISP to disclose subscriber information. However, both New Jersey’s intermediate appellate court and California’s Court of Appeal have ruled that an employer has to satisfy a heightened burden before such a subpoena can be issued. The Reid decision most likely will be used in other jurisdictions to lend further support for this heightened standard.