Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In his veto statement, Governor Christie acknowledged the bill’s positive objective, i.e., to protect employees and applicants “from overly aggressive invasions by employers.” At the same time, he criticized the bill as overly broad, presenting employers and interviewers with a high risk of lawsuits. In the governor’s words: “Those privacy concerns, however, must be balanced against an employer’s need to hire appropriate personnel, manage its operations, and safeguard its business assets and proprietary information. Unfortunately, this bill paints with too broad a brush.”

Governor Christie noted, for example, that as currently drafted, the bill would prohibit an employer interviewing an applicant for a marketing position from asking about the applicant’s use of social media so that the employer could gauge the applicant’s technological skills and media savvy. “Such a relevant and innocuous inquiry would, under this bill, subject an employer to protracted litigation, compensatory damages, and attorneys’ fees — a result that could not have been the sponsors’ intent," the governor said. Additionally, the governor stated:

"In view of the over-breadth of this well-intentioned bill, I return it with my recommendations that it be more properly balanced between protecting the privacy of employees and job candidates, while ensuring that employers may appropriately screen job candidates, manage their personnel, and protect their business assets and proprietary information."

Governor Christie recommended eliminating the private right of action and replacing it with potential penalties and a fine from the New Jersey Department of Labor and Workforce Development.

However, as noted in a previous entry, the original bill passed 75-2 in the General Assembly, so if the legislature wants to ignore the governor and pass the bill as-is, it likely can because only a two-thirds majority is needed to override the veto. As of May 7, 2013, the legislature had asked for two readings of the veto message and proposed changes, thereby signaling that perhaps it intends to seriously consider the governor’s well-founded concerns.

The New Jersey bill adds a new prohibition not seen in any prior law that actually could be detrimental to job applicants and employees. Specifically, employers cannot “[i]n any way require or request that a current or prospective employee disclose whether the employee has a personal account.” Consequently, were an employer to search publicly available social media content for information about an employee or applicant and discover negative information that might relate to the applicant or employee, such as racist comments or a predilection for sex with minors, the employer could not ask whether the account where the content is posted is, in fact, the applicant’s or employee’s personal account. Moreover, if the employer does inquire and the applicant or employee refuses to confirm or deny whether he or she posted the offensive social media content, New Jersey’s law would make it a violation for the employer to then take adverse action based on the individual’s refusal to respond. In other words, the employer would be worse off if it tried to “do the right thing” and attempted to verify the authenticity of information that, if true, would lead to an adverse employment action.

The New Jersey bill also has the most generous remedial scheme. “Facebook” laws in Maryland and California do not expressly provide a private right of action. By contrast, the New Jersey bill confers a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. While the laws in Utah and Michigan  also confer a private right of action, damages are capped at $500 and $1,000 per violation, respectively. Illinois’ law does not cap damages; however, it requires that applicants or employees first attempt to resolve their complaint through the state labor department. No such administrative exhaustion requirement applies under the New Jersey bill.

To be sure, once the bill is likely enacted, it will not entirely handcuff New Jersey employers from performing investigations and background checks necessary to run a safe and efficient operation without running afoul of the law.  However, before investigating information present on an employee's or applicant's "personal account," human resources professionals are encouraged to seek guidance from inside or outside counsel to ensure compliance with this proposed law.  If approved, the law will go into effect on the first day of the fourth month following its enactment.

Photo credit: robas

Michigan’s new law, dubbed the “Internet Privacy Protection Act” (IPPA or the “Act”), lays down three straightforward prohibitions. First, employers cannot ask applicants or employees for the user name and password or other log-in credentials to gain access to any of the individual’s personal, Internet-based accounts, i.e., an account for which the user restricts access to content by way of log-in credentials. Second, the Act bars employers from asking applicants or employees to “allow observation of” their account, a practice commonly called “shoulder surfing.” Third, the Act prohibits employers from asking applicants or employees to “grant access to” their personal accounts, thereby baring employers from reviewing content without asking for log-in credentials and without shoulder surfing. Employers can take no adverse action against an applicant or employee who refuses a request in violation of the Act. These prohibitions apply not just to social media accounts but to all Internet-based accounts, including e-mail and cloud storage accounts. All employers, regardless of size, are subject to the Act’s restrictions.

While airtight at first blush, the IPPA’s wall around applicants’ and employees’ personal accounts is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s or in an applicant’s personal account. The Act prohibits access only to the personal content of the applicant or employee who is the subject of the request. Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct or compromising Internet postings by a job applicant.

The Act’s express exceptions also create important gaps in the facially broad prohibition. Like California’s law, the IPPA permits an employer to ask an employee for access, by any means, to the employee’s personal account as part of an investigation into workplace misconduct but only “[i]f there is specific information about activity on the employee’s personal internet account.” This exception would, for example, permit an employer to ask an employee for log-in credentials where a coworker reports a social media post that threatens workplace violence or contains racially derogatory comments about the coworker. Like the Maryland law, the Act also permits employers to request access to employees’ personal accounts if the employer has specific information that the employee is using the personal account to misappropriate the employer’s confidential business information. Finally, the Act’s prohibitions do not apply when an employer has a duty under federal law, or to comply with a self-regulatory scheme established under the Securities and Exchange Act, to screen applicants or monitor or retain certain employee communications.

Like the password protection laws that preceded it, the IPPA carefully carves out the employer’s own systems and equipment from the Act’s purview. The Act does not bar Michigan employers from requesting, in any way, access to any device or account provided, or paid for, by the employer, or from monitoring or accessing communications or information stored on employer-provided devices, communications networks, or information systems.

Importantly, Michigan’s law contains unique provisions that should serve as a model for future legislation in the area. The Act expressly “does not create a duty” for employers to search or monitor employees’ personal Internet activity and discharges employers from liability for failing to request an applicant’s or employee’s log-in credentials. In other words, the victims of workplace violence presaged by the perpetrator-employee’s ranting social media content could not assert a negligence claim against the employer based on the employer’s failure to ask the perpetrator for access to his personal social media account. While the exact contours of these provisions are unclear, they provide important protections for employers.

The IPPA’s remedial provisions, though relatively weak, do have the potential to deter violations. Most importantly from a deterrence perspective, the Act exposes individual employees to criminal prosecution for a misdemeanor offense, but the punishment is limited to a fine of not more than $1,000. Similarly, the Act’s civil remedy provisions caps damages at $1,000 and an award of attorneys’ fees and costs. Potential plaintiffs must serve a written demand on the employer at least 60 days before asserting the claim. This provision gives employers the opportunity to forestall a claim by offering $1,000 in response to a demand.

In sum, Michigan employers should be able to obtain information about employees’ Internet conduct in many circumstances where they need it. However, before investigating an employee’s or applicant’s personal Internet activity, they should carefully scrutinize the precise contours of the IPAA’s prohibitions to avoid exposing human resources professionals to a potential misdemeanor prosecution.

For additional discussion about the law, please see Littler's ASAP, Michigan's New "Internet Privacy Protection Act" Sets Limitations for Employers and Employees, by William Balke and Philip Gordon. 

Photo credit: robas

Subsequently, the California legislature, often hostile to employer interests, amended its then-pending bill to adopt a more balanced and reasonable approach. The approved bill does generally prohibit employers from requesting or requiring that employees or applicants (a) disclose their user name or password to gain access to personal social media content; (b) access their personal social media in the employer’s presence, i.e., permit “shoulder surfing;” or (c) divulge any personal social media, which apparently would bar an employer from asking an employee to provide the personal social media content of a co-worker who is a Facebook friend. At the same time, however, the pending law permits employers to request that “an employee divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

While this exception is a vast improvement over the Illinois and Maryland laws, California employers should beware that the exception does not open the door all the way. To begin with, the exception does not apply to job applicants. Thus, even if a current employee were to report seeing racist or threatening content on a job applicant’s restricted access social media site, a California employer still could not gain access to the troublesome social media content unless the reporting employee voluntary provided it. In addition, employers remain barred from asking current employees to disclose their social media log-in credentials or to permit the employer to “shoulder surf.” Nevertheless, the exception does permit California employers to ask a co-worker to provide content from the personal social media site of an employee suspected of misconduct.

California employers also should note that the California law, like the Illinois and Maryland laws, appears to have an unintended and unsupportable consequence in the context of litigation. These statutes impose no restriction on an employer’s ability to request in civil discovery that a former employee produce personal social media, log-in credentials; however, all three statutes bar such requests in litigation with a current employee. Obtaining log-in credentials can be important in employment litigation so that employers’ counsel can confirm that the current or former employee has produced all discoverable information posted on his or her restricted-access social media page.

California’s pending password protection law has another unusual twist. The bill expressly relieves California’s Labor Commissioner from having to investigate complaints that the law has been violated, whereas the Labor Commissioner is required to investigate certain other violations of the Labor Code. The pending law itself also does not create a private right of action. Consequently, it remains unclear what remedies an employee could pursue were the Labor Commissioner to decline to investigate.

Employers should expect other states to enact this form of popular legislation. If the password protection laws that are on the horizon are to follow California’s more balanced approach rather than the draconian Illinois law, employers and employer groups will need to highlight the critical distinctions between the two laws through participation in the legislative process.

Photo credit: Asilvero

Beyond the privacy issues, snap-happy health care workers undermine patient perceptions of a provider’s quality of care. Patients are left to ask themselves why health care workers are taking pictures when they should be providing care. These unauthorized photo shoots also show a fundamental disrespect for the patient, creating the impression that patients are being used for the health care workers’ entertainment.

On August 8, 2012, New Jersey took a step towards addressing this problem by criminalizing unauthorized photo shoots at emergency and accident scenes. Under the new law, first responders are prohibited from taking pictures or video of victims and from disclosing such images without the victim’s consent. First responders covered by the new law include: law enforcement officers; paid or volunteer firefighters; paid or volunteer members of a duly incorporated first aid, emergency, ambulance, or rescue squad association; or any other individual who, in the course of their employment, is dispatched to the scene of an accident or emergency to provide medical care or other assistance. The new law’s broad definition of “disclose” covers, among other actions, the posting of an image on the Internet. Underscoring the importance of establishing workplace policies on the issue, the new law allows first responders to take images at emergency scenes in accordance with their employers’ rules, regulations, or operating procedures.

Violation of the New Jersey law is classified as a disorderly conduct offense. In addition, a person whose image is unlawfully taken or disclosed can recover from the first responder minimum liquidated damages of $1,000 per violation or actual damages, whichever is greater, as well as punitive damages and reasonable attorneys’ fees. These remedies are in addition to any other right of action or recovery that may be available under New Jersey law.

While the New Jersey law does not apply to most health care workers, it highlights the public indignation over a practice that reflects poorly on all health care providers. Even health care employers outside of New Jersey and without employees who fall within the new law’s definition of “first responder” should confirm that their policies adequately restrict employees from posting images of patients on the Internet. One such policy provision could be to prohibit employees from using a personal cell phone, smartphone, tablet or camera to take or post any photographs or video recordings of patients to the Internet.

Image credit: Pablo del Rio

In sum, at least as far as private employers are concerned, there is no proven need for password protection laws. Both the available anecdotal and empirical evidence, albeit limited, compel the conclusion that private employers are not asking applicants or employees for personal social media log-in credentials.

Social Media “Password Protection” Legislation Radically Rewrites the Common Law of Privacy

The one password protection bill that has been enacted, in Maryland, as well as the password protection legislation pending in eleven states — California, Delaware, Illinois, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington — and in Congress, generally prohibit employers from requesting or requiring that employees or applicants provide the log-in credentials for a personal social media account. The underlying premise of these bills is that an employer invades an applicant’s or employee’s privacy by viewing content on a restricted access social media account without the voluntary consent of the account holder. Digging one step deeper, these bills, at their core, are saying that the content of a restricted access social media account is private no matter how many people the user invites to view that content and regardless of the relationship between the user and the viewer. Put more plainly, these bills declare, for example, that a Facebook user who has more than 500 “friends,” including current and former supervisors and other executives at his current employer, can establish the “privacy” of his content by using Facebook’s privacy settings to restrict access to “Friends Only.”

No court has ever construed the tort of invasion of privacy by intrusion upon seclusion so broadly. That tort requires, in the first instance, a “private fact” which can be the subject of an intrusion. The vast majority of courts have held that, if the fact that is the subject of the claim has been disclosed to even a small number of people not under a legal or contractual obligation of confidentiality, the fact is not private and the intrusion upon seclusion claim fails.² To be sure, a small number of cases have permitted an intrusion upon seclusion claim to proceed even though the plaintiff had shared the private fact with others. However, in virtually all of these cases, the private fact was shared within a group that had a very specific relationship with the plaintiff, such as co-workers or participants in an in vitro fertilization program.³ We are not aware of any case holding that facts disclosed to dozens or hundreds of people who do not form a cohesive group are private from a private employer, especially when that group includes management-level employees of the employer who is the defendant on the privacy claim. In sum, the password protection laws create a “ring of privacy” with a circumference that is far larger than any court has recognized to date.

Notably, the one reported case where a jury considered whether an employer committed an intrusion upon seclusion by accessing two employees’ restricted-access social media site resulted in a verdict on that claim for the employer. In that case, Pietrylo v. Hillstone Restaurant Group, a group of employees at a Houston’s restaurant (the chain owned by the Hillstone Restaurant Group) established an invitation-only, password-protected MySpace page.⁴ In the words of the site’s founder, the page would permit group members to “vent about any BS we deal with [at] work without any outside eyes spying in on us.” The founder emphasized in his first post that “[t]his group is entirely private.” Houston’s accessed the site after a group member shared her log-in credentials with management. After viewing the venting about the company, management, and customers, the restaurant fired the site’s founder and another group member. Both responded by suing Hillstone for, among other claims, violating the federal Stored Communications Act (the “SCA”) and common law invasion of privacy.

While the jury’s verdict for the fired employees on their SCA claim has received substantial press and academic attention, the jury’s verdict for Hillstone on the invasion of privacy claim seems to have been lost in the shuffle. The jury’s verdict form reveals the jury rejected that claim based on its finding that the fired employees did not have a reasonable expectation of privacy in the content they posted on their site. The jury reached this conclusion despite the password protection, despite the invitation-only rule, and despite the founder’s pronouncement that the site was “entirely private.” A fair inference is that the jurors believed the fired employees could not reasonably expect privacy in content that was available to numerous group members and that could be further disclosed by any group member to anyone, including journalists, without restriction.

Legislators, of course, are free to create a public policy that overturns decades of common law jurisprudence, particularly when necessary to address new technology not yet considered by common law courts. However, the validity of a new public policy should be closely scrutinized when there is no apparent need for it, it is so broad that it leads to absurd results, and, as explained below, it potentially exposes all private employers to substantial liability.

Social Media Password Protection Legislation Exposes Private Employers to Liability

Legislators appear to have been so swept up by the media frenzy over the perceived, but unproven, injustice of private employers asking for personal social media log-in credentials that they drafted legislation with little consideration of employers’ legitimate interests. To illustrate the point, virtually all of the pending password protection bills applicable to private employers prohibit requests for personal, social media log-in credentials without exception. In other words, these bills effectively find that private employers never have a legitimate business reason to require, or even request, such log-in credentials.

Notably, the one state which has actually enacted a password protection law recognized that a blanket prohibition is unjustified. Under Maryland’s password protection law, an employer can ask for personal social media log-in credentials when needed to investigate securities law violations or a misappropriation of trade secrets. Delaware’s pending bill, alone among the pending bills, carves out an exception for securities-related investigations.

These exceptions, however, are unjustifiably narrow. There is no reasoned basis for distinguishing between investigations into securities fraud or misappropriation of trade secrets and those into other forms of unlawful or even criminal conduct. To illustrate the point, in all states, including Maryland, an employer could not fully investigate potential workplace violence. The password protection legislation would prevent an employer from going to the source if an employee were to report that a co-worker had posted on his restricted-access social media account the following: “I’m so angry I want to kill my boss” or “I hate work. I’m gonna blow the place up.” Thus, the employer would lose the benefit of critical information, such as the context of the post and other indicia of the seriousness of the threat revealed by the actual content.

It is unclear whether the survivors of murdered employees could hold the employer legally responsible in this scenario for failing to investigate the incident adequately, but no one wants to see a test case. Critically, these examples are not hypothetical hyperbole. According to one of the foremost experts in the field of workplace violence, James Turner, Ph.D., president of the International Assessment Services and one of the foremost experts in the field of workplace violence, it is not uncommon for those planning to commit murder to provide clues to their homicidal intent in Internet postings before they pull the trigger. For example, a gunman wrote a series of posts to an online bulletin board, the last of which stated “It’s time,” before murdering seven people in a Tokyo shopping mall.⁵ Another gunman posted “I wonder if I’d make the six o’clock news if I just starting popping people off” before killing three guards and wounding a fourth on the University of Alberta campus.⁶

The password protection bills, as currently drafted, as well as the Maryland law, also thwart investigations into workplace harassment. It would be naïve to believe that the bullying which used to happen on the shop floor or in the break room has not moved to social media. Indeed, the California Court of Appeals recently affirmed a jury’s verdict holding an employer responsible for its employees’ bullying of a co-worker with a disfigured hand. The court relied heavily on co-workers’ scathing blog posts that referred to the employee as “The Claw” and ruthlessly ridiculed him because of his disability.⁷ In the California case, the employee was able to discover and report the bullying to his employer because the blog posts were public. Password protection laws, however, would throw a cloak of secrecy around this type of illegal conduct when conducted through a restricted-access social media account.

As with the workplace violence scenario, it is unclear whether an employer could be held responsible for work-related harassment that is inaccessible to the employer. The plaintiffs’ bar can be expected to try. Putting aside legal liability, workplace harassment and threats of workplace violence that are visible to co-workers, but invisible to the employer, will have intangible costs for the workplace, such as undercutting employee morale, causing tension among co-workers, and distracting employees from their work. Given the absence of any proof that private employers are asking for social media log-in credentials, there is no justification for legislatures to impose on employers those costs or the potential liability arising from an inadequate investigation of employees’ unlawful work-related social media conduct.

While the risks arguably are not as serious, the application process still can present situations where an employer justifiably seeks access to content posted on a restricted-access social media account. For example, if a current employee were to inform her human resources manager that she has seen content on an applicant’s “friends-only” Facebook page that raises serious questions about the applicant’s suitability for employment with the employer, the employer should be able to gain access to that information whether by asking the applicant or the employee for log-in credentials, for permission to “shoulder surf,” or for a hard copy or screen shot of the content in question. While the phrasing of the Maryland law and the pending password protection bills is somewhat ambiguous, they all appear to put the applicant’s social media content completely off-limits, regardless of which of these methods the employer wishes to use. Given the substantial disruption and cost to private employers of a “bad hire,” they should not be completely foreclosed from this source of information, particularly given that a host of laws — such as Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Age Discrimination in Employment Act, and the Genetic Information Non-Discrimination Act of 2008 — already substantially restrict an employer’s ability to use social media content for employment decisions.

Conclusion

State and federal legislators should recognize that they may have “jumped the gun” by relying on hype rather than facts in their hurried attempt to get ahead of a public outcry. At this point, there is no empirical data suggesting that private employers are routinely or even occasionally requesting or requiring personal social media log-in credentials. Consequently, it is not necessary to enact legislation that would radically expand the definition of “privacy” and substantially impede employers’ ability to investigate potentially unlawful and even criminal conduct.

¹ Littler Mendelson Executive Employer Survey Report (June 2012), available at http://www.littler.com/content/littler-mendelson-executive-employer-survey-report-2012.

² See, e.g., Duran v. Detroit News, Inc., 200 Mich. App. 622 (1993) (intrusion claims failed because the information defendants obtained was either available via public record or had been disclosed by plaintiffs such that it was “open to the public eye”); Fletcher v. Price Chopper Foods of Trumann, Inc., 220 F.3d 871, 877-78 (8th Cir. 2000) (intrusion claim failed where plaintiff asserted a privacy interest in the medical fact that she had a staph virus at the time of her employment termination because plaintiff revealed this information to her co-workers); cf. Nader v. Gen. Motors Corp., 25 N.Y.2d 560, 568-69 (1970) (intrusion claim was unsupported by allegations that defendants interviewed people who knew plaintiff and thereby obtained information of a private nature because plaintiff assumed the risk that those he confided in may breach that confidence; plaintiff’s claim was supported on other grounds such as unauthorized wiretapping).

³ See, e.g., Sanders v. Amer. Broadcasting Cos., 20 Cal. 4th 907 (1999) (even though the plaintiff’s conversation could be seen and overheard by co-workers, plaintiff’s intrusion claim could proceed where media reporter covertly taped plaintiff’s conversation). Cf. Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488, 502 (Mo. Ct. App. 1990) (plaintiffs use of in vitro fertilization was a private matter even though they attended a social function for participants in the hospital’s in vitro fertilization program).

⁴ Pietrylo v. Hillstone Rest. Group, No. 2:06-cv-05754-FSH-PS (D.N.J. 2008).

⁵ Norimitsu Onishi, Man who killed 7 in Tokyo left online warnings, N.Y. TIMES (June 9, 2008), http://www.nytimes.com/2008/06/09/world/asia/09iht-09tokyo.13575210.html.

⁶ Michelle McQuigge, Chilling Facebook comment preceding armed guard murders stokes employee online privacy debate, THE CANADIAN PRESS (June 23, 2012), http://news.nationalpost.com/2012/06/23/chilling-facebook-comment-preceding-armed-guard-murders-stokes-employee-online-privacy-debate/.

⁷ Espinoza v. County of Orange, No. G043067 (consol. with G043345) (Cal. Ct. App. 2012).

Employer knowledge of and access to passwords is essential in several contexts. For trade secret purposes, employers should strongly consider requiring the disclosure of passwords to any accounts used in the course of performing employment functions, including those that provide access to social media accounts used on the employer’s behalf. Blogs, Twitter, LinkedIn and remote storage sites such as Dropbox are some more familiar examples. Employers should consider taking steps to maintain the secrecy of passwords and ensure that employees do the same. In PhoneDog v. Kravitz, an on-going dispute over rights to Twitter followers garnered while a blogger worked on behalf of PhoneDog, the district court denied the defendant’s motion to dismiss the company’s misappropriation claims, ruling that the question of whether an account password is a trade secret required evidence outside the pleadings. See also TMX Funding v. Impero Technologies (claim that log-in and password information were trade secrets survived a motion to dismiss). A trade secret analysis will necessarily look at whether the employer kept the password secret, so any scenario where the employer does not know the passwords of its employees could undercut an employer’s claim that an account password known only to the employee is the employer’s trade secret.

The employer’s lack of access to an account password may also be problematic following employee terminations and defections. Employers will want to have and will need to have continued access to blog accounts, Twitter followers and LinkedIn connections that may have been developed at the employer’s expense and for the employer’s use. This continued access is particularly important where a company’s advertising revenues are tied to social media activity.

To the extent there are any developing trends in case law, courts appear reluctant to grant early dismissals of claims or counterclaims as they struggle to sort out new issues raised by relatively unfamiliar technology. Compare Ardis Health, LLC v. Nankivell (court ordered employee to return user names and passwords to social media sites used in her position as Video and Social Media Producer and permitted conversion claims against her to proceed to discovery) with Eagle v. Morgan (locking a terminated employee out of a LinkedIn account may subject an employer to misappropriation claims). In Health and Body Store, LLC v. Justbrand Limited, the first federal appellate case to address the use of social media passwords after termination, the Third Circuit recently held that the district court had abused its discretion in failing to consider whether terminated employees had breached fiduciary duties when the former employees changed a password to deprive their employer of access to websites that the parties had used jointly to conduct a separate Internet business.

Questions as to who “owns” passwords and social media accounts, including friends, followers and connections, and how they may be used are working their way through the courts. However, because technology moves faster than law, prudent employers should consider taking the following steps:

• Require employees to establish business-related accounts using a corporate e-mail address (where an e-mail address is required) and to make the employer the account holder or subscriber;
• Implement policies that protect the employer’s right to know all relevant, business-related passwords at all times and to be informed of any changed passwords;
• Require former employees to relinquish any rights to access accounts that have been used on the employer’s behalf;
• Give the employer the exclusive and unilateral right to change passwords and block access to those accounts upon any change in employment status; and 
• Enter an appropriate agreement with employees and consultants before they begin to engage in social media use on the employer’s behalf or include relevant provisions in Proprietary Invention and Assignment Agreements or other confidentiality and non-disclosure agreements.

Photo credit: robas

Despite the absence of a proven need, the Illinois bill imposes apparently broad restrictions on employers. The bill prohibits an employer from “request[ing] or require[ing] any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.” The bill also forbids employers from “demand[ing] access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”

While the first prohibition is clear enough, the scope of the second is ambiguous. The second prohibition appears to be aimed at “shoulder surfing,” i.e., an employer’s asking an applicant or employee to log into a social networking site without revealing log-in credentials so that the employer can review the site. Similarly, this prohibition appears to reach an employer’s asking an employee or applicant to print a hard copy of his or her own social networking site or to e-mail screen shots of that site to the employer. Assuming this prohibition is intended to reach such conduct, it remains unclear whether the prohibition applies only to content posted on the applicant’s or employee’s own social networking site or extends to the restricted social networking sites of co-workers who are not the subject of the request.

To put the ambiguity into sharper focus, consider the following scenario. An employee reports to his human resources manager that a co-worker, who is a Facebook friend, has commented on his own wall, which is restricted to “Friends Only,” that he is so angry at the company he could “blow the place up.” The Illinois law appears to prohibit the HR manager from asking the reporting employee to permit the HR manager to view the posting co-worker’s post on the reporting employee’s own newsfeed and from asking the reporting employee to print a hard copy of the post or to e-mail a screen shot of the post to the HR manager. The Illinois law also appears to prohibit the HR manager from asking the posting co-worker for access to his social networking site so the HR manager can investigate the reporting employee’s allegation. However, it is unclear whether the Illinois law would prohibit the HR manager from asking the reporting employee, without disclosing his own log-in credentials or any information on his own news feed, to access the posting co-worker’s “Friends Only” Facebook wall so the HR manager could corroborate and further investigate the allegation.

While this point, at first blush, may appear to be hair splitting, it is critical for employers because the Illinois law contains no exception for legitimate workplace investigations. In fact, the Illinois law contains no exceptions at all to its general prohibitions. Instead, the law merely emphasizes that it is not intended to restrict an employer’s right to promulgate policies regulating use of the employer’s own electronic resources or from monitoring usage of the employer’s own electronic resources, including e-mail. The bill also expressly states that it does not apply to “information that is in the public domain,” i.e., social networking sites for which the account holder has not used privacy settings to restrict access. However, this limitation provides little aid to employers as applicants and employees increasingly activate privacy settings to restrict access to their social media accounts. In sum, the Illinois law shuts off most, if not all, access by employers to a potentially important source of information when conducting legitimate investigations into misconduct related to work, such as workplace violence, unlawful harassment, and misappropriation of trade secrets.

The absence of any exceptions to the general prohibition in the Illinois bill highlights another challenge for employers raised by this new genre of workplace regulation. The Maryland law contains exceptions for investigations of suspected securities fraud violations and suspected misappropriation of trade secrets. While these exceptions themselves are overly narrow, their absence from the Illinois bill suggest that the states are beginning to weave yet another inconsistent patchwork of laws that will further complicate for employers the already daunting challenge of regulating new technology in the workplace.

The Maryland law prohibits an employer from taking or threatening any form of adverse action based on an employee’s or applicant’s refusal to provide a user name or password to a personal account accessed through a communications device. An employer cannot discharge, discipline or otherwise penalize an employee. An employer cannot reject an applicant for engaging in the protected conduct.

Notably, the Maryland law contains no enforcement provision. The law does not authorize applicants or employees to sue. The law does not even delegate authority to the Maryland Department of Labor, Licensing and Regulation, or any other government agency, to enforce it. It is possible that an employee terminated in violation of the law might have a claim for wrongful discharge in violation of public policy. However, because that claim typically applies only to discharge, it is unclear whether an employee who is disciplined short of discharge would have a claim. It also is uncertain whether an applicant who is denied employment in violation of the law would be able to assert a claim.

While the law seems overly broad at first blush, it is critical for employers to understand the types of conduct that the law does not prohibit. Some of these exceptions are expressed in the statute itself; others are implicit.

1. Access To Employer’s Internal Systems: The law expressly permits employers to require that employees disclose log-in credentials “for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.” In other words, employees cannot rely on the law to prevent employers from gaining access to information stored on the employer’s own information systems.
2. Violations Of Securities Or Financial Laws, Or Regulatory Requirements: If an employer receives information that an employee is using a personal online account for business purposes, the law “does not prevent” an employer from conducting an investigation to ensure that the employee is complying with “securities or financial law, or regulatory requirements.” This exception appears intended to apply in a situation where an employee of a financial services company uses a personal online account to trade securities or engage in other financial transactions on the employer’s behalf.
3. Protection Of Trade Secrets: If an employer receives information that an employee has downloaded the employer’s proprietary information, without authorization, to a personal online account, the law “does not prevent” an employer from conducting an investigation into such suspected misconduct.
4. Passwords To Devices: While the Maryland law bars employers from requesting log-in credentials for “accessing a personal account or service,” the law does not prohibit employers from requesting or requiring log-in credentials to access an employee’s personal device, such as a smartphone or tablet. This distinction is critical as employers increasingly are implementing “Bring-Your-Own-Device” policies.
5. Nonpersonal Accounts: The law protects log-in credentials only for “personal” accounts. Maryland employers should clearly define which accounts are personal and which are nonpersonal. For example, if an employee uses a corporate e-mail address to establish a LinkedIn profile or Twitter account, the employer should ensure that employees know from the outset that such an account is “nonpersonal” for purposes of the Maryland law.

Because the Act’s restrictions on its face arguably apply only to the disclosure of log-in credentials, it remains to be seen through judicial interpretation whether the Act’s restrictions bar an employer from, for example, asking an employee or applicant to log into a personal account without disclosing the log-in credentials to the employer so the employer can observe the content of the personal account or asking an employee or applicant to print the content of a personal account. Before an employer chooses this route, they should speak with their employment counsel to educate themselves about the legal risks of doing so. While Maryland is the first jurisdiction to enact this legislation, it is not likely to be the last. Indeed, bills proposing similar restrictions currently are pending in various states, including but not limited to California, Illinois, Minnesota, New York, and Washington. In addition, U.S. Senator Richard Blumenthal (D–CT) has stated his plan to introduce similar legislation "in the very near future."

Each of the headings below reviews the General Counsel’s current position on a particular type of commonly used policy provision. Employers should carefully review their existing policies and any new policy in light of the General Counsel’s most recent report. With careful drafting and the use of examples and limiting language, employers should still be able to achieve their objectives of gaining limited control over the Wild West of social media content while staying within the parameters of the NLRA.

No Defamation/Non-Disparagement: No employer likes seeing its employees or organization trashed in social media, but, according to the General Counsel, a broad non-disparagement policy violates the NLRA on a per se basis because it could inhibit employees from making negative comments about the terms and conditions of their employment. For example, the General Counsel opined in the report that the following policy prohibition is illegal: “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The General Counsel reached the same conclusion on a policy which prohibits “discriminatory, defamatory, or harassing web entries about specific employees, work environment, or work-related issues on social media sites.”

While the General Counsel’s opinion sounds frustrating, employers should not despair. The General Counsel explains that by including non-disparagement policy language within a list of other forms of unprotected conduct, an employer’s non-disparagement policy will comply with the NLRA. To illustrate the point, the General Counsel pointed to the NLRB’s holding that a policy prohibiting “statements which are slanderous or detrimental to the company” was lawful when it “appeared on a list of prohibited conduct including ‘sexual or racial harassment’ and ‘sabotage.’” Following this authority, the General Counsel gave its stamp of approval in the report to a policy which “prohibited the use of social media to post or display comments about coworkers or supervisors or the Employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.”

Confidentiality: Protecting confidential information and trade secrets from competitors is critical to every organization. According to the General Counsel, however, a confidentiality policy is illegal if it would impinge on employees’ ability to discuss their wages and working conditions with others inside or outside the organization. Consistent with that reasoning, the General Counsel’s report rejected a provision in an employer’s social media policy that prohibited employees from “disclosing or communicating . . . confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department.” By contrast, the General Counsel approved a policy provision that “prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients” as well as “‘embargoed information,’ such as launch and release dates and pending reorganizations.” The General Counsel approved of this policy language based on the following reasoning: “Considering that the Employer sells pharmaceuticals and that the rule contains several references to customers, patients, and health information, employees would reasonably understand that this rule was intended to protect the privacy interests of the Employer's customers and not to restrict Section 7 protected communications.”

The General Counsel’s distinction between the two confidentiality provisions suggests a potential litmus test for confidentiality language in a social media policy: if the policy reasonably could be read to prevent employees from disclosing the amount of their compensation to family members, the General Counsel likely would find the policy to be overbroad.” Employers should note that this same issue could apply to confidentiality agreements signed by hourly workers, and not just to confidentiality requirements in a social media policy.

Logos/Trademarks: Organizations understandably want to control use of their logo and trademarks. Nonetheless, a social media policy which prohibits “use of the company’s name or service marks outside the course of business without prior approval of the law department” is, according to the General Counsel, unlawful. The General Counsel takes the position that employees have the right under the NLRA to use the company’s name and logo “while engaging in protected concerted activity, such as in electronic or paper leaflets, cartoons, or picket signs in connection with a protest involving the terms and conditions of employment.” The General Counsel reasoned that such protected use of a company’s name and logo does not “remotely implicate[]” the company’s interests protected by trademark law, “such as the trademark holder’s interests in protecting the good reputation associated with the mark from the possibility of being tarnished by inferior merchandise sold by another entity using the trademark and in being able to enter a related commercial field and use its well-established trademark.”

This reasoning is wrong. An employee easily could damage brand reputation and engender customer confusion by, for example, creating a Facebook page with the corporate name and logo. At a minimum, an employer should be able to prohibit employees from using the company name or logo when engaging or depicting in social media any conduct which violates the Company’s policies or is unlawful; such a policy would not encompass activity protected by Section 7 of the NLRA. Employers also should consider consulting intellectual property counsel about logo and trademark issues and not necessarily develop a marketing strategy based solely on NLRA issues. However, the General Counsel’s analysis (which is not law, but rather the Office’s view of the law) should not be fully ignored either.

Employee Disclaimers: Social media policies commonly mandate that employees must include a disclaimer in any social media content that relates to the employer. For example, in one of the cases discussed in the General Counsel’s report, the employer’s social media policy required that employees “expressly state that their comments are their personal opinions and do not necessarily reflect the Employer’s opinions.” The General Counsel opined that this policy requirement violates the NLRA because it “would significantly burden the exercise of employees’ Section 7 rights to discuss working conditions and criticize the Employer’s labor policies.” Fortunately, employers can achieve a similar result with a policy that prohibits employees from representing in any way that they are speaking on the Company’s behalf without prior written authorization to do so.

It is worth noting that the General Counsel did approve an employee disclaimer requirement in the section of a social media policy addressing product promotions. The General Counsel explained that in context, this provision could not be read to interfere with Section 7 rights because the policy focused on product promotions and endorsements and was intended to avoid potential liability for unfair and deceptive trade practices under guidance issued by the Federal Trade Commission.

Discussions of Work-Related Concerns: The aphorism, “Don’t hang out your dirty laundry,” may seem antiquated but many employers still say just that in their social media policy. By way of illustration, one policy discussed in the General Counsel’s report “required employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination.” The General Counsel concluded that this policy violated the NLRA because of the threat of discipline. Employers can avoid this potential pitfall by urging, but not mandating, that employees use internal channels, rather than social media, to resolve workplace concerns. In that regard, the General Counsel’s opinion is nothing new, but rather is in line with traditional NLRA law on protected, concerted activity in general.

Communications with the Media: Social media policies often tell employees not to discuss with the media their social media content related to the company. The General Counsel’s report finds such prohibitions illegal. (“An employer’s rule that prohibits employee communications to the media or requires prior authorization for such communications is therefore unlawfully overbroad.”) However, a similar report issued by the General Counsel on August 18, 2011, recognized that “a media policy that simply seeks to ensure a consistent, controlled company message and limits employee contact with the media only to the extent necessary to effect that result cannot be reasonably interpreted to restrict Section 7 communications.” In light of that principle, the General Counsel blessed the media policy in question because the “policy repeatedly stated that the purpose of the policy was to ensure that only one person spoke for the company” and even though “employees were instructed to answer all media/reporter questions in a particular way.” In other words, it appears that employers can still carefully craft a provision on media relations in a social media policy which complies with the NLRA.

“Unprofessional” Content: In several of the reported cases, the General Counsel took issue with policy terms that were undefined, vague, or subjective. These terms included prohibitions on “insubordination or other disrespectful conduct,” “inappropriate conversation,” “unprofessional communication that could negatively impact the Employer’s reputation or interfere with the Employer’s mission,” and “nonprofessional/inappropriate communication regarding members of the Employer’s community” as well as the requirement that social media activity occur in an “honest, professional, and appropriate manner.” Employers can achieve the intended objectives of this disfavored language by using terms that are defined in the social media policy or other policies or by providing examples of prohibited conduct with examples that do not include conduct protected by the NLRA.

Employee’s Self-Identification: Some employers have tried to protect their organization by telling employees not to identify their affiliation with the organization when engaging in social media activity unless there is a legitimate business reason for doing so. In its report, the General Counsel took the position that this type of policy violates the NLRA “because personal profile pages serve an important function in enabling employees to use online social networks to find and communicate with their fellow employees at their own or other locations.” Employers should not view the General Counsel’s position here as a particular setback. Telling employees not to mention their employer by name in a personal profile is akin to telling them not to do the same at a cocktail party; the rule would be honored in the breach.

Securities Blackouts: Publicly traded companies are rightfully concerned that employees may let slip on social media highly sensitive information about a corporate transaction, new product launch, or non-public financial information. Among the few policy provisions with which the General Counsel did not take issue was one which stated that the employer might “request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws.” The General Counsel reasoned that “employees reasonably would interpret the rule to address only those communications that could implicate security regulations,” as opposed to the terms and conditions of their employment.

Employer Disclaimers: In the wake of the NLRB’s aggressive position since the AMR case in late 2010 on social media policies and employee discipline based on social media conduct, many employment and labor law practitioners have recommended the inclusion of a disclaimer in social media policies. The disclaimer explains that the employer’s policies are not intended to interfere with employees’ rights under the NLRA. In its first public review of a disclaimer in a social media policy, the Board somewhat surprisingly took the position that such a disclaimer was ineffective. In that case, the disclaimer stated as follows:
 

[T]he policy [will] not be interpreted or applied so as to interfere with employee rights to self-organize, form, join, or assist labor organizations, to bargain collectively through representatives of their choosing, or to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from engaging in such activities.

According to the General Counsel, this disclaimer could not “save” a policy provision prohibiting employees from posting “inappropriate” content because “an employee could not reasonably be expected to know that this language encompasses discussions the Employer deems ‘inappropriate.’” Given the detailed nature of the disclaimer in question, this conclusion suggests the General Counsel, and possibly the Board itself, will view skeptically any effort by an employer to rely upon a disclaimer to protect an otherwise overbroad social media policy. That is an unfortunate result for employers, as a disclaimer seemed to be the answer to keeping a policy simple and uncluttered, without violating the NLRA. Now employers should consider instead replacing such a disclaimer with a list of specific limitations or examples, such as those discussed above which can transform an otherwise overbroad (at least in the eyes of the General Counsel) non-disparagement provision into one that complies fully with the NLRA.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

Becker’s rag on the Ultimate Driving Event did not stand alone. On the same day, he also posted about a potentially serious mishap at the nearby Land Rover dealership also owned by Knauz BMW. Becker described the drama on his Facebook page, alongside a photograph with the following comment: “This [photograph shows] what happens when a sales Person sitting in the front passenger seat (Former Sales Person, actually) allows a 13 year old boy to get behind the wheel of a 6000 lb. truck built and designed to pretty much drive over anything. The kid drives over his father’s foot and into the pond in all about 4 seconds and destroys a $50,000 truck. OOOPS!”

In deciding whether Knauz BMW violated the NLRA by discharging Becker, the ALJ agreed with the NLRB’s General Counsel that Becker’s Facebook comments about the food at the Ultimate Drive Event were protected concerted activity, a position previously expressed by the General Counsel in its August 2011 report on the NLRB’s social media cases which we discussed in an earlier blog post. The ALJ reasoned that Becker’s comments were protected because it was possible, albeit not likely, that the food selection could have had an impact on Becker’s commission-based compensation. In the words of the ALJ, “some customers [possibly] were turned off by the food offerings at the sales event and [perhaps] did not purchase a car because of it.” The ALJ also found that Becker’s Facebook posting was concerted activity — even though no co-worker participated in, or commented on, the post — because the post was the “logical outgrowth of” the criticisms by Becker and at least one other co-worker of the food selection during the sales force’s meeting with management before the event. This result demonstrates just how broadly the NLRB interprets the concept of “protected concerted activity” which cannot properly be the subject of employee discipline.

Notably, the ALJ rejected Knauz BMW’s argument that Becker’s Facebook post should lose its protection under the NLRA because the post disparaged the dealership. Without much analysis, the ALJ noted that the NLRB had previously rejected the same argument in cases where employees’ protected speech was mocking, sarcastic, satirical, ironic, demeaning or even degrading. It appears that an employee’s protected speech will need to reach a high level of injuriousness before the Board will strip that speech of the NLRA’s protections.

Although Becker had engaged in protected concerted activity, the ALJ still determined that Knauz BMW’s decision to axe Becker was lawful. The ALJ found persuasive the testimony of management employees that Becker’s facetious comments about the serious and potentially deadly Land Rover mishap triggered the termination decision. The ALJ then determined that this post did not constitute protected concerted activity because “it was posted solely by Becker,” “without any discussion with any other employee,” and “had no connection to any other employees’ terms and conditions of employment.”

The lesson for employers? Employees who post some protected social media content do not protect themselves with impunity from adverse employment action. Employers can rely on unrelated, unprotected social media posts to justify termination;they just need to be prepared to prove that the unprotected speech was the driving force behind the disciplinary decision.

When Not to Fire an Employee Based on a Social Media Post

The August 18, 2011, Memorandum summarizes four cases that concluded that the employer’s discipline violated the NLRA. In a nutshell, these cases involved the termination of one or more employees based on the following social media conduct:

•  While preparing for a meeting with management, an employee asked coworkers on her Facebook page for their reaction to another employee’s complaints about work quality and staffing levels at the employer;
• An employee complained on her Facebook page about her supervisor’s refusal to permit a union representative to assist her in responding to a customer complaint about the employee;
• A salesmen at a car dealership criticized on his Facebook page the dealership’s handling of a sales event intended to promote a new car model and posted mildly mocking photographs that included his coworkers;
• Employees posted on Facebook about the employer’s failure to withhold state income taxes, resulting in the employees’ receiving payment demands from state tax authorities.

In all of these cases, employees posted on their own Facebook page, on their own time, and using their own equipment.

When viewed as a group, these cases have a common thread that provides substantial insight into how the Board analyzes social media cases. Most importantly, the subject matter of each of these posts related to the terms and conditions of employment, the exercise of rights conferred by the NLRA, or other matters traditionally considered “protected activity” under the Boards’ precedent. The topics included: (a) preparation for a discussion with management about employees’ job performance and the employer’s staffing levels; (b) the right in a unionized workplace to union representation during an investigatory interview by the employer; (c) conduct by the employer (a sales event) that could have an impact on employees’ compensation (their sales commissions); and (d) the employer’s administration of income tax withholdings.

Of equal significance, in each of these situations, the General Counsel concluded that employees were collaborating, otherwise known as “concerted activity.” In the first case, the employee was seeking assistance from coworkers in preparation for a discussion with management. In the second case, the employee was discussing supervisory actions with coworkers who were her Facebook friends. In the third case, the employee was expressing the sentiment of his coworkers about the sales event. In the fourth case, employees were sharing concerns about the employer’s failure to withhold state income taxes. None of these cases could be said to involve individual gripes.

While the fulcrum of these cases is the General Counsel’s determination that the disciplined employees were discussing protected subject matters and doing so in concert with their coworkers, there is one other common thread that can help employers weigh risks when deciding whether an employee’s social media post justifies discipline. In each of the cases, the offending Facebook post was either the culmination of an on-going dispute with the employer or the continuation of a pre-existing conversation among employees. In contrast to these fact patterns, the Facebook posts discussed in our previous blog entry and upon which the Division of Advice relied to justify discipline were relatively spontaneous and had no real history behind them.

Profanity Generally Will Not Justify Discipline for Protected Concerted Activity

According to the General Counsel, the offending Facebook posts in these cases included “swearing and/or sarcasm,” use of a “short-hand expletive,” and references to management personnel as an “asshole” and a “scumbag.” Nonetheless, in each case, the General Counsel concluded that the employer’s termination violated the NLRA.

The General Counsel’s analysis in these cases seems to give employees a license to curse. In finding that an employee did not lose the NLRA’s protections after calling her supervisor a “scumbag,” the General Counsel relied on the following facts: (a) “the Facebook posts did not interrupt the work of any employee because they occurred outside the workplace and during nonworking time;” (b) “the comments were made during an online employee discussion on supervisory action;” (c) “the name-calling was not accompanied by verbal or physical threats;” (d) “the Board has found more egregious name-calling protected;” and (e) “the employee’s Facebook postings were provoked by the supervisor’s unlawful” conduct.

In social media cases, the first three or four factors listed above typically will be present. Thus, the Board effectively is telling employers that they must have a thicker skin when it comes to employees’ raunchy social media posts.

Disclaimers and Carefully Crafted Policies Are Critical

Throughout the August 18, 2011, Memorandum, the General Counsel identified social media policy provisions that the General Counsel deemed overbroad and in violation of the NLRA. At first blush, these determinations are portentous for employers because employers routinely include the challenged provisions in their social media policy. However, the August 18, 2011, Memorandum suggests — at least implicitly — how employers can retain these commonly used policy provisions without running afoul of the NLRA.

The list of policy provisions found to be overbroad is lengthy but worthy of repetition. The list includes the following:

1. Inappropriate Discussions: Prohibition against “inappropriate discussions about the company, management, and/or coworkers;”
2. Defamation: Prohibition on any social media post that “constitutes embarrassment, harassment or defamation of the [company] or of any [company] employee, officer, board member, representative, or staff member;”
3. Disparagement: Prohibition against “employees making disparaging comments when discussing the company or the employee’s superiors, coworkers and/or competitors;”
4. Privacy: Prohibition on “revealing, including through the use of photographs, personal information regarding coworkers, company clients, partners, or customers without their consent;”
5. Confidentiality: Prohibition on “disclosing inappropriate or sensitive information about the Employer;”
6. Contact Information: Prohibition on “using the company name, address, or [related] information on [employees’] personal profiles;”
7. Logo: Prohibition on using “the Employer’s logos and photographs of the Employer’s store, brand, or product, without written authorization;”
8. Photographs: Prohibition against “employees posting pictures of themselves in any media . . . which depict the Company in any way, including company uniform [or] corporate logo.”

Removing all of the prohibitions described above would eviscerate most social media policies. Fortunately, such drastic action does not appear to be necessary.

In finding these rules unlawful, the General Counsel emphasized not only their overbreadth (i.e., “the [rules] utilized broad terms that would commonly apply to protected criticism of . . . terms and conditions of employment”), but also that “the rule[s] contained no limiting language to inform employees that [the rules] did not apply to Section 7 activity.” This italicized language suggests that the rules quoted above will not violate the NLRA as long as the policy contains a disclaimer which explicitly informs employees that the policy will not be construed or applied in a manner that improperly interferes with employees’ rights under Section 7 of the NLRA.

The General Counsel also provided some guidance for policy drafting by rejecting challenges to several other policy provisions. One upheld policy, for example, provided that “no employee could ever be pressured to ‘friend’ or otherwise connect with a coworker via social media.” The General Counsel reasoned that this policy was “sufficiently specific,” “clearly applied only to harassing conduct,” and could not be read to prohibit employees from friending for purposes of engaging in activity protected under the NLRA.

In a second example, the General Counsel approved of a policy that required employees to “maintain confidentiality about sensitive information” and to direct all media inquiries to the company’s public affairs office after stating that the employee was not authorized to comment. The General Counsel determined that this policy did not violate the NLRA because it was intended only “to ensure a consistent, controlled company message,” was not a blanket prohibition on all contact between employees and the media, and “did not convey the impression that employees could not speak out on the terms and conditions of their employment.”

These examples suggest that an employer can increase the likelihood that its social media policy will survive the NLRB’s scrutiny if the policy emphasizes the legitimate purposes that it seeks to achieve, such as protecting the employer’s good will and brand reputation. In addition, restrictions in the policy on employees’ social media conduct should, where practicable, be narrowly tailored to meet those legitimate objectives.

Photo credit: TommL

Two of the Advice Memoranda draw the same bright line rule: an employee who communicates about work through Facebook but only with family or friends cannot invoke the protections of the National Labor Relations Act (NLRA) to avoid dismissal. In one of these two cases, an employee of a residential home for homeless individuals with significant mental illness posted facetious comments about residents on her Facebook wall. Only a personal friend responded to the Facebook posts, and none of the employee’s coworkers were her Facebook friends. The General Counsel concluded that the employee’s Facebook posts were not protected because the employee was merely communicating with personal friends about work. In addition: (a) her posts did not relate to the terms or conditions of employment; (b) the employee did not discuss her posts with coworkers, and no coworkers responded to them; and (c) the employee was not seeking to induce collective action and her posts were not an outgrowth of collective concerns.

The second case was a slightly tougher one. There, a bartender complained through Facebook to his step-sister about this employer’s policy barring him from sharing in tips given to servers even though the bartenders helped to serve food. The General Counsel concluded that the bartender could not rely on the NLRA to reverse his firing, even though the post related to the terms of employment, for the same reasons that the employee of the residential home could not do so – the employee did not discuss his post with coworkers and the employee was not seeking to induce collective actions.

The third case provides the most useful guidance, drawing the line between individual gripes (unprotected) and collective activity (protected). In that case, the employee made the following comments about her store’s Assistant Manager:

I swear if this tyranny doesn’t end in this store, they are about to get a wakeup call because lots are about to quit.
* * * *
[Assistant Manager] is being a super mega puta! Its retarded I get chewed out cuz we got people putting stuff in the wrong spot and then the customer wanting it for that price . . . . I’m talking to [Store Manager] about this shit because if it don’t change [Company] can kiss my royal white ass.

The General Counsel concluded that the employer could lawfully fire the employee because the posts expressed only an individual gripe, i.e., the employee’s own “frustration regarding his individual dispute with the Assistant Manager over mispriced or misplaced sale items.” The General Counsel also concluded that the responses to the posts by the employee’s coworkers did not convert these individual gripes into collective action because those comments reflected the coworkers’ understanding that the employee was speaking only on behalf of himself. One coworker laughed (“bahaha like!”); one coworker asked why the employee was so “wound up;” and a third expressed only emotional support (i.e., “hang in there”).
In each of the three Advice Memoranda, the General Counsel referred to the same or similar legal standards. These standards also provide useful guidance and include the following

• Protected: When the employee “acting with or the authority of” coworkers (a) “seeks to initiate, induce or prepare for group action,” or (b) “brings truly group complaints to the attention of management.”
• Protected: The employee’s activities are “the logical outgrowth of concerns expressed by the employees collectively.”
• Unprotected: The employee is engaging in activity “solely by and on behalf of the employee himself.”
• Unprotected: The employee’s comments are “mere griping” as opposed to “group action.”

While these guidelines and the Advice Memoranda obviously do not address the full range of Facebook conduct that intersects with the workplace, they do at least provide some guideposts for employers when deciding whether to discipline or fire an employee based on his or her obnoxious or offensive Facebook post.

This conclusion likely will have an impact on a substantial number of employers. According to a recent study by the Society of Human Resources Management (SHRM), more than 50% of employers are relying on social media for recruitment purposes, up from 34% in 2008, and another 20% plan to use social media for recruiting in the future. The SHRM study does not address the percentage of employers that conduct these searches exclusively in-house, in which case the FCRA would not apply, as compared to those that rely on a third-party service, in which case the FCRA likely would apply. However, the fact that the social check space is beginning to fill with new enterprises, like Social Intelligence, suggests that the number of employers that are relying on third parties to conduct social checks has grown significantly.

When the FCRA does apply, employers will need to take the following steps vis-à-vis any applicant who is the subject of a social check. First, review the notice and authorization currently provided to applicants before more traditional background checks are conducted to ensure that those documents encompass social media searches. Second, ensure that applicants who may be eliminated from consideration based in whole or in part on the results of a social check receive a pre-adverse action notice which provides the applicant with the report received by the employer, the FTC’s “A Summary Of Your Rights Under the FCRA,” and an opportunity to dispute the apparently adverse information with the service provider which ran the social check. Third, upon rejecting the applicant, send a final adverse action notice to the applicant containing the language required by the FCRA.

These legal compliance requirements are straightforward enough, but they, and in particular, the pre-adverse action notice requirement, highlight vexing practical issues: What social media information should be reported in the first place? Is the information relevant to the hiring decision? Is the information reliable? There can be no question that social media posts may contain information that employers may not lawfully consider when vetting an applicant, such as disability, protected and lawful off-duty conduct, or genetic information. There also can be no question that social media posts often contain information that warrants rejection of a candidate. According to a recent study by the Society of Corporate Compliance and Ethics, more than 40% of respondents had disciplined an employee based on his or her social media conduct. However, these two groups of information set only the polar extremes; employers still must determine what, if anything, will be reported concerning the vast range of social media content falling in the middle and how they will fairly evaluate that information. Social Intelligence, for example, notes on its Web site that its customer set-up tools leave to the employer responsibility for “defining screening filters (for evaluating individuals) and redaction criteria (for censoring information).”

Reliability is another critical issue for employers using social media to evaluate job candidates. In the case of more traditional pre-employment screening, the nature of the information itself engenders a higher probability, albeit not certainty, that information is accurate. Court systems, educational institutions, and employers, for example, have an inherent interest in maintaining accurate records for their own legitimate business purposes. By contrast, social media are replete with false, doctored, and biased information about others. Social Intelligence suggests a solution to this issue by noting on its Web site that it reports “only information the applicant has created himself.” However, completely eliminating social media information posted by third persons arguably reduces the effectiveness of a social check to some extent. Perhaps more importantly, social media posts apparently created by the author can be forged. I have recently counseled clients on two separate occasions where employees denied having posted on their Facebook wall negative information about the employer or co-workers, credibly claiming that others had stolen their log-in credentials or hacked into their account.

The absence of any inherent reliability in most social media information emphasizes the importance of providing applicants with a pre-adverse notice even when there is no legal obligation to do so. Employers easily could lose potentially outstanding employees by relying on social media content that is false, misleading or inaccurate. Even if apparently adverse information turns out to be accurate and true, the applicant’s explanation of that information could demonstrate maturity and honesty as opposed to evasiveness and bad character.

With use of social media for hiring becoming increasingly common, human resources professionals and in-house employment counsel need to scrutinize their organization’s use, or potential use, of this new tool and answer several challenging questions. Most importantly, how should social checks supplement more traditional means of vetting applicants’ credentials and pre-employment screening for adverse information? What types of information does the organization need and how will that information be weighted? Next, will the information be gathered through in-house resources or an external service provider, such as Social Intelligence? If the latter, how will FCRA compliance be worked into the social check process? Finally, particularly given the newness of social checks, employers should evaluate them at least annually with one key question in mind: Have the social checks improved the effectiveness of the organization’s hiring process and the quality of new hires?

Photo credit: robas