On October 18, 2012, the Illinois Supreme Court delivered a very important decision for Illinois employers in Lawlor v. North American Corporation of Illinois, Case No. 112530 (Oct. 18, 2012). The court not only confirmed that the tort of intrusion upon seclusion is recognized in Illinois, it also applied principles of agency law to find an employer liable for the torts of a non-employee private investigator because the investigator was acting as the employer's agent. To learn more about the decision, please see Littler's ASAP, Illinois Supreme Court Recognizes Privacy Tort and Holds Employer Liable Under Agency Law, by David Haase, Kathryn Siegel, and Ethan Zelizer.
Reproduced with permission from the HR Library. Copyright © 2012 The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
The story went viral, and legislators around the country caught the virus. On March 21, 2012, the Associated Press reported a few incidents where employers had requested or required log-in credentials from applicants or employees to access their personal social media account. Over the next three weeks, more stories were published; some regurgitating the incidents originally reported by the A.P., and others reporting on additional, alleged inquiries. The media frenzy stoked public outrage. Legislators around the country and in Congress sought to ride the wave of public sentiment by introducing legislation to slam the door on the perceived abuse. The result has been one state law as well as bills pending in eleven states and in Congress that are unnecessary, radically rewrite the law of privacy, and unfairly expose private employers to potential liability.
Social Media “Password Protection” Laws Are Unnecessary
Neither the A.P. article nor any other article from a major U.S. news outlet comprising the media frenzy of spring 2012 cites a single study proving that private employers routinely ask applicants or employees for log-in credentials to their personal social media accounts. In fact, a careful review of the anecdotal “evidence” contained in these news stories demonstrates that the exact opposite is true. All of the media coverage combined reported one instance in which a private employer requested log-in credentials. All but this one reported incident involved public employers, such as corrections departments and police forces. The overwhelming buzz drowned out this distinction.
The only empirical data of which we are aware is fully consistent with this anecdotal evidence demonstrating that private employers do not ask for log-in credentials. Littler Mendelson’s Executive Employer Survey Report, published in June 2012, asked nearly 1,000 C-suite executives, corporate counsel, and human resources professionals from corporations throughout the United States and ranging in market capitalization from less than $1 billion to more than $4 billion the following question: “Has your organization requested social media logins as part of the hiring or onboarding process?”1 The response: 99% of respondents answered the question in the negative.
In sum, at least as far as private employers are concerned, there is no proven need for password protection laws. Both the available anecdotal and empirical evidence, albeit limited, compel the conclusion that private employers are not asking applicants or employees for personal social media log-in credentials.
Social Media “Password Protection” Legislation Radically Rewrites the Common Law of Privacy
The one password protection bill that has been enacted, in Maryland, as well as the password protection legislation pending in eleven states — California, Delaware, Illinois, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington — and in Congress, generally prohibit employers from requesting or requiring that employees or applicants provide the log-in credentials for a personal social media account. The underlying premise of these bills is that an employer invades an applicant’s or employee’s privacy by viewing content on a restricted access social media account without the voluntary consent of the account holder. Digging one step deeper, these bills, at their core, are saying that the content of a restricted access social media account is private no matter how many people the user invites to view that content and regardless of the relationship between the user and the viewer. Put more plainly, these bills declare, for example, that a Facebook user who has more than 500 “friends,” including current and former supervisors and other executives at his current employer, can establish the “privacy” of his content by using Facebook’s privacy settings to restrict access to “Friends Only.”
No court has ever construed the tort of invasion of privacy by intrusion upon seclusion so broadly. That tort requires, in the first instance, a “private fact” which can be the subject of an intrusion. The vast majority of courts have held that, if the fact that is the subject of the claim has been disclosed to even a small number of people not under a legal or contractual obligation of confidentiality, the fact is not private and the intrusion upon seclusion claim fails.2 To be sure, a small number of cases have permitted an intrusion upon seclusion claim to proceed even though the plaintiff had shared the private fact with others. However, in virtually all of these cases, the private fact was shared within a group that had a very specific relationship with the plaintiff, such as co-workers or participants in an in vitro fertilization program.3 We are not aware of any case holding that facts disclosed to dozens or hundreds of people who do not form a cohesive group are private from a private employer, especially when that group includes management-level employees of the employer who is the defendant on the privacy claim. In sum, the password protection laws create a “ring of privacy” with a circumference that is far larger than any court has recognized to date.
Notably, the one reported case where a jury considered whether an employer committed an intrusion upon seclusion by accessing two employees’ restricted-access social media site resulted in a verdict on that claim for the employer. In that case, Pietrylo v. Hillstone Restaurant Group, a group of employees at a Houston’s restaurant (the chain owned by the Hillstone Restaurant Group) established an invitation-only, password-protected MySpace page.4 In the words of the site’s founder, the page would permit group members to “vent about any BS we deal with [at] work without any outside eyes spying in on us.” The founder emphasized in his first post that “[t]his group is entirely private.” Houston’s accessed the site after a group member shared her log-in credentials with management. After viewing the venting about the company, management, and customers, the restaurant fired the site’s founder and another group member. Both responded by suing Hillstone for, among other claims, violating the federal Stored Communications Act (the “SCA”) and common law invasion of privacy.
While the jury’s verdict for the fired employees on their SCA claim has received substantial press and academic attention, the jury’s verdict for Hillstone on the invasion of privacy claim seems to have been lost in the shuffle. The jury’s verdict form reveals the jury rejected that claim based on its finding that the fired employees did not have a reasonable expectation of privacy in the content they posted on their site. The jury reached this conclusion despite the password protection, despite the invitation-only rule, and despite the founder’s pronouncement that the site was “entirely private.” A fair inference is that the jurors believed the fired employees could not reasonably expect privacy in content that was available to numerous group members and that could be further disclosed by any group member to anyone, including journalists, without restriction.
Legislators, of course, are free to create a public policy that overturns decades of common law jurisprudence, particularly when necessary to address new technology not yet considered by common law courts. However, the validity of a new public policy should be closely scrutinized when there is no apparent need for it, it is so broad that it leads to absurd results, and, as explained below, it potentially exposes all private employers to substantial liability.
Social Media Password Protection Legislation Exposes Private Employers to Liability
Legislators appear to have been so swept up by the media frenzy over the perceived, but unproven, injustice of private employers asking for personal social media log-in credentials that they drafted legislation with little consideration of employers’ legitimate interests. To illustrate the point, virtually all of the pending password protection bills applicable to private employers prohibit requests for personal, social media log-in credentials without exception. In other words, these bills effectively find that private employers never have a legitimate business reason to require, or even request, such log-in credentials.
Notably, the one state which has actually enacted a password protection law recognized that a blanket prohibition is unjustified. Under Maryland’s password protection law, an employer can ask for personal social media log-in credentials when needed to investigate securities law violations or a misappropriation of trade secrets. Delaware’s pending bill, alone among the pending bills, carves out an exception for securities-related investigations.
These exceptions, however, are unjustifiably narrow. There is no reasoned basis for distinguishing between investigations into securities fraud or misappropriation of trade secrets and those into other forms of unlawful or even criminal conduct. To illustrate the point, in all states, including Maryland, an employer could not fully investigate potential workplace violence. The password protection legislation would prevent an employer from going to the source if an employee were to report that a co-worker had posted on his restricted-access social media account the following: “I’m so angry I want to kill my boss” or “I hate work. I’m gonna blow the place up.” Thus, the employer would lose the benefit of critical information, such as the context of the post and other indicia of the seriousness of the threat revealed by the actual content.
It is unclear whether the survivors of murdered employees could hold the employer legally responsible in this scenario for failing to investigate the incident adequately, but no one wants to see a test case. Critically, these examples are not hypothetical hyperbole. According to one of the foremost experts in the field of workplace violence, James Turner, Ph.D., president of the International Assessment Services and one of the foremost experts in the field of workplace violence, it is not uncommon for those planning to commit murder to provide clues to their homicidal intent in Internet postings before they pull the trigger. For example, a gunman wrote a series of posts to an online bulletin board, the last of which stated “It’s time,” before murdering seven people in a Tokyo shopping mall.5 Another gunman posted “I wonder if I’d make the six o’clock news if I just starting popping people off” before killing three guards and wounding a fourth on the University of Alberta campus.6
The password protection bills, as currently drafted, as well as the Maryland law, also thwart investigations into workplace harassment. It would be naïve to believe that the bullying which used to happen on the shop floor or in the break room has not moved to social media. Indeed, the California Court of Appeals recently affirmed a jury’s verdict holding an employer responsible for its employees’ bullying of a co-worker with a disfigured hand. The court relied heavily on co-workers’ scathing blog posts that referred to the employee as “The Claw” and ruthlessly ridiculed him because of his disability.7 In the California case, the employee was able to discover and report the bullying to his employer because the blog posts were public. Password protection laws, however, would throw a cloak of secrecy around this type of illegal conduct when conducted through a restricted-access social media account.
As with the workplace violence scenario, it is unclear whether an employer could be held responsible for work-related harassment that is inaccessible to the employer. The plaintiffs’ bar can be expected to try. Putting aside legal liability, workplace harassment and threats of workplace violence that are visible to co-workers, but invisible to the employer, will have intangible costs for the workplace, such as undercutting employee morale, causing tension among co-workers, and distracting employees from their work. Given the absence of any proof that private employers are asking for social media log-in credentials, there is no justification for legislatures to impose on employers those costs or the potential liability arising from an inadequate investigation of employees’ unlawful work-related social media conduct.
While the risks arguably are not as serious, the application process still can present situations where an employer justifiably seeks access to content posted on a restricted-access social media account. For example, if a current employee were to inform her human resources manager that she has seen content on an applicant’s “friends-only” Facebook page that raises serious questions about the applicant’s suitability for employment with the employer, the employer should be able to gain access to that information whether by asking the applicant or the employee for log-in credentials, for permission to “shoulder surf,” or for a hard copy or screen shot of the content in question. While the phrasing of the Maryland law and the pending password protection bills is somewhat ambiguous, they all appear to put the applicant’s social media content completely off-limits, regardless of which of these methods the employer wishes to use. Given the substantial disruption and cost to private employers of a “bad hire,” they should not be completely foreclosed from this source of information, particularly given that a host of laws — such as Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Age Discrimination in Employment Act, and the Genetic Information Non-Discrimination Act of 2008 — already substantially restrict an employer’s ability to use social media content for employment decisions.
State and federal legislators should recognize that they may have “jumped the gun” by relying on hype rather than facts in their hurried attempt to get ahead of a public outcry. At this point, there is no empirical data suggesting that private employers are routinely or even occasionally requesting or requiring personal social media log-in credentials. Consequently, it is not necessary to enact legislation that would radically expand the definition of “privacy” and substantially impede employers’ ability to investigate potentially unlawful and even criminal conduct.
1 Littler Mendelson Executive Employer Survey Report (June 2012), available at http://www.littler.com/content/littler-mendelson-executive-employer-survey-report-2012.
2 See, e.g., Duran v. Detroit News, Inc., 200 Mich. App. 622 (1993) (intrusion claims failed because the information defendants obtained was either available via public record or had been disclosed by plaintiffs such that it was “open to the public eye”); Fletcher v. Price Chopper Foods of Trumann, Inc., 220 F.3d 871, 877-78 (8th Cir. 2000) (intrusion claim failed where plaintiff asserted a privacy interest in the medical fact that she had a staph virus at the time of her employment termination because plaintiff revealed this information to her co-workers); cf. Nader v. Gen. Motors Corp., 25 N.Y.2d 560, 568-69 (1970) (intrusion claim was unsupported by allegations that defendants interviewed people who knew plaintiff and thereby obtained information of a private nature because plaintiff assumed the risk that those he confided in may breach that confidence; plaintiff’s claim was supported on other grounds such as unauthorized wiretapping).
3 See, e.g., Sanders v. Amer. Broadcasting Cos., 20 Cal. 4th 907 (1999) (even though the plaintiff’s conversation could be seen and overheard by co-workers, plaintiff’s intrusion claim could proceed where media reporter covertly taped plaintiff’s conversation). Cf. Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488, 502 (Mo. Ct. App. 1990) (plaintiffs use of in vitro fertilization was a private matter even though they attended a social function for participants in the hospital’s in vitro fertilization program).
4 Pietrylo v. Hillstone Rest. Group, No. 2:06-cv-05754-FSH-PS (D.N.J. 2008).
5 Norimitsu Onishi, Man who killed 7 in Tokyo left online warnings, N.Y. TIMES (June 9, 2008), http://www.nytimes.com/2008/06/09/world/asia/09iht-09tokyo.13575210.html.
6 Michelle McQuigge, Chilling Facebook comment preceding armed guard murders stokes employee online privacy debate, THE CANADIAN PRESS (June 23, 2012), http://news.nationalpost.com/2012/06/23/chilling-facebook-comment-preceding-armed-guard-murders-stokes-employee-online-privacy-debate/.
7 Espinoza v. County of Orange, No. G043067 (consol. with G043345) (Cal. Ct. App. 2012).
Some Smoke Clears in Washington: State Supreme Court Holds Employee Has No Claim After Being Terminated for Medical Marijuana Use
On June 9, in Roe v. TeleTech Customer Care Mgmt (Colo.), LLC, the Washington State Supreme Court held that the state’s Medical Use of Marijuana Act (MUMA): (1) does not prohibit an employer from discharging an employee for medical marijuana use or provide a civil remedy for such a discharge; and (2) does not “proclaim a sufficient public policy to give rise to a tort action for wrongful termination for authorized use of medical marijuana.” Like the decisions in Ragingwire (pdf)i n California, Emerald Steel Fabricators in Oregon, and Columbia Falls Aluminum Company (pdf) in Montana, which we discussed here, here and, most recently, here, TeleTech gives wide berth to employers that discharge employees who use drugs.
Washington voters adopted the MUMA in 1998. It provides an affirmative defense to a physician authorizing the use of medical marijuana and to qualified patients and caregivers engaging in the medical use of marijuana who are accused of marijuana-related crimes in Washington. The law expressly provides that employers are not required to accommodate “any medical marijuana use in any place of employment….” In 2007, MUMA was amended to clarify that employers are not required to accommodate any “on-site” use of medical marijuana in the workplace.
Roe, who used a pseudonym in the case because use of medical marijuana remains illegal under federal law, had debilitating migraine headaches. Conventional treatments did not alleviate the pain, but marijuana did. In June 2006, a physician issued her a written authorization under MUMA to use marijuana for medical purposes, which she did. In October 2006, TeleTech, a business outsourcing company, hired Roe as a customer service representative. Roe’s job offer was contingent on a negative drug test. She informed TeleTech of her use of medical marijuana outside the workplace and subsequently failed the drug test, and the company fired her.
Roe filed suit against TeleTech, asserting that the company terminated her employment in violation of MUMA and wrongfully discharged her in violation of public policy. The trial court granted summary judgment in TeleTech’s favor, and the Washington Court of Appeals upheld the decision.
The Washington Supreme Court affirmed. Roe first argued that TeleTech violated the MUMA itself. But the court held that the Act unambiguously provided only an affirmative defense to a criminal marijuana charge, not a civil claim against an employer. The court explained that if the employer was not required to accommodate on-site medical marijuana use, it was not required to accommodate medical marijuana use off site, as Roe was asking it to do. Finally, the court noted that the fact that Roe used marijuana at home without being impaired in the workplace was irrelevant because regardless of Roe’s ability to do her job, the statute did not confer on her a right to sue her employer.
Roe then argued that even if TeleTech had not violated MUMA, the court should recognize a civil tort claim for wrongful termination in violation of public policy based on her discharge. Quoting MUMA, she urged that the public policy proclaimed by the law was that that “the medical use of marijuana by patients with terminal or debilitating illnesses is a personal, individual decision.” But the court held that the language of the MUMA “do[es] not recognize a broad policy that would remove any impediment to medical marijuana use or impose an obligation that employers accommodate such use, and that Washington patients have no legal right to use marijuana under federal law.”
Along with Ragingwire and Steel Fabricators, the TeleTech decision is the third in a string of appellate victories for employers in cases involving the termination of employment of employees for use of medical marijuana, whether or not on site and whether or not the employee is impaired during work. But any sigh of relief by employers may be premature:
- In the future, Washington medical marijuana users may seek to bring claims based on a recent change in MUMA that was not argued in Roe. Less than two months ago, Washington amended MUMA to provide expressly that the law does not require any accommodation of an employee’s medical marijuana use if the employer has a drug-free workplace policy. In the future, employees terminated for medical marijuana use by an employer lacking such a policy may render their discharges illegal under the revised statute. Employers that do not have drug-free workplace policies should consider implementing them to avoid falling prey to such a claim in the future.
- The highest courts in only 4 of the 15 jurisdictions (14 states and the District of Columbia) that have medical marijuana laws have ruled on any of the questions at issue in TeleTech. Courts in other states may reach contrary conclusions under their own laws. Some states, like Colorado, enshrine their medical marijuana law in the state constitution, a source of law that employees are likely to assert is deserving of greater deference than a statute.
- Stay tuned because any federal law developments may change the legal landscape in state courts. Medical and other use, possession and distribution of marijuana continues to violate federal law. New legislation recently introduced in Congress, if it ultimately becomes law, is likely to change this. If that happens, many states are likely to follow suit, creating new challenges for employers in addressing employment issues raised by the use of medical marijuana by prospective or current employees.
- There are other issues employers may confront even if state medical marijuana law does not create any employer liability for discharge for use of medical marijuana, for example:
- Disabilities, serious health conditions, and genetic information of which the employer becomes aware because an employee discloses them in describing use of medical marijuana;
- Government contracts requiring employers to observe drug-free workplace requirements; and
- Occupational safety and health issues involving workers who use medical marijuana.
- Even wary employers may find their drug-free workplace policies jeopardized by managers who sympathize with colleagues who use medical marijuana. Such managers may create liability if they are insufficiently or inconsistently committed to enforcing their employer’s drug-free policies.
The long-term legal effects of medical marijuana in the workplace continue to be hashed out in elections, legislatures and courts. But at least for now, the Washington Supreme Court’s decision in Roe helps clear the air for employers in that state to exercise substantial discretion in enforcing their drug-free workplace rules.
For additional analysis on this development, see Littler ASAP "Washington Supreme Court Blunt in Ruling: No Claim for Wrongful Discharge Under State's Medical Use of Marijuana Act” by Dale L. Deitchler and Daniel L. Thieme.
Photo credit: Sebastien Roche-Lochen Photography
By Ellen Giblin
The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.
In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).
Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.
What does this mean to my company?
The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.
What should my company do?
Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.
What are the consequences of not complying?
The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action.
Photo credit: dra_schwartz
In a recent published decision, the Ninth Circuit court of appeals held that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court. This victory was short-lived, however, because the court also held — consistent with many other courts deciding security breach notification cases — that the plaintiffs had not pleaded, and could not prove, that Starbucks’ actions caused them any cognizable harm under state tort or contract law.
In 2008, someone stole a laptop computer from Starbucks containing the unencrypted names, addresses, and social security numbers of nearly 100,000 Starbucks employees. The company informed all affected employees of the theft and offered them one year of free credit monitoring services. Three current and former Starbucks employees who were affected brought two nearly identical putative class action lawsuits against Starbucks, alleging that the compromise of their personal information amounted to negligence and a breach of an implied contract:
- One plaintiff asserted she had been “extra vigilant about watching her banking and 401(k) accounts,” spent a “substantial amount of time doing so,” and will pay out-of pocket for credit monitoring services once the free service expires.
- The second plaintiff alleged he “spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts,” placed fraud alerts on his credit cards, and “has generalized anxiety and stress regarding the situation.”
- The third plaintiff maintained that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and he did not allege that he suffered any financial loss.
In its decision, the Ninth Circuit addressed the issue of whether the plaintiffs had standing to sue Starbucks. All parties agreed that standing requires a plaintiff to show that: (1) he or she has suffered an injury that is concrete and particularized, as well as actual or imminent rather than conjectural or hypothetical (injury in fact); (2) the injury in fact is fairly traceable to the challenged action of the defendant (causation); and (3) it is likely that the injury will be redressed by a favorable decision (redressability).
Starbucks conceded both causation and redressability, so the Ninth Circuit addressed only injury in fact. It noted that the alleged victim of identity theft would have an injury in fact when he or she faces a credible threat of harm. It then held that each of the plaintiffs below had alleged a credible threat of real and immediate harm stemming from the theft of the Starbucks laptop. In so doing, the Ninth Circuit reached a result similar to that of the Seventh Circuit, but contrary to the application of what appears to be a stricter standard in the Sixth Circuit.
In a second, unpublished memorandum opinion issued the same day, the Ninth Circuit held that even if the plaintiffs' allegations were true, they would not support a claim under state tort or contract law. Under Washington law, said the court, “[t]he mere danger of future harm, unaccompanied by present damage,” was insufficient to support a negligence claim. The court then rejected the plaintiffs’ argument that there was an implied contract between the plaintiffs and Starbucks and dismissed both claims.
Although Starbucks ultimately prevailed, this case underscores three practical lessons. First, employers continue to incur attorneys’ fees, litigation and credit monitoring costs, and the imputed costs associated with staff resources that must be devoted to defending against such class action lawsuits. Second, the prospect of having to incur such costs creates a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. Third, the putative plaintiff class included former employees, highlighting the need to extend safeguards to the personal information not only of current employees but also of job applicants and former employees.
For years now, employers have been warned that a detailed, electronic resources policy is the best defense against vicarious liability for the actions of employees who use corporate e-mail or Internet access like a bully in a sandbox. A recent decision from the California Court of Appeals highlights a potentially more potent defense that has received little attention in employment law circles.
The Communications Decency Act of 1996, 47 U.S.C. §230 [CDA] immunizes any “provider . . . of an interactive computer service” from liability under any state law for information published on the service by someone else. In Delfino v. Agilent Technologies, the plaintiffs sued Agilent for intentional infliction of emotional distress because a former Agilent employees had used Agilent’s e-mail system and Internet access to communicate numerous threatening messages to the plaintiffs. The California Court of Appeals affirmed summary judgment for Agilent based on the CDA.
As a matter of first impression, the court held that a corporate employer, like Agilent, who offers e-mail and Internet access is an interactive computer service provider for purposes of the Act. Because the employee, not Agilent, provided the threatening messages, and the plaintiffs sought relief only under state tort law, the CDA immunized Agilent from liability. By analogy, the CDA can be used to get rid of those pesky state law claims, like negligent hiring, negligent supervision, intentional infliction of emotional distress, and defamation, that tend to accompany Title VII claims alleging harassment through an employee’s use of corporate electronic resources.