Portfolio Media. Inc. | 860 Broadway, 6th Floor | New York, NY 10003 | www.law360.com
Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected]
Choose Your Friends — And Privacy Settings — Wisely
Law360, New York (October 02, 2013, 5:20 PM ET) -- Congress enacted the Stored Communications Act,
18 U.S.C. §§ 2701–2711, in 1986 to protect the privacy of early electronic communications. The SCA
attempts to shield the privacy of these communications much in the same way the Fourth Amendment
protects home privacy, albeit not with the same constitutional strength. See generally, Orin S. Kerr, A
User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending it, 72 Geo. Wash.
L. Rev. 1208 (2004) (describing the SCA’s genesis in light of contemporary technology).
Unlike its better-known cousin, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, the SCA has not
been substantially amended since it was first enacted. The statute reflects legislation passed before
Internet and Web browsers came of age, and the technology it intended to compass has since changed
dramatically. But the SCA still fulfills its role as guardian of the privacy of electronic communications,
including that of Internet communications.
Private Causes of Action Under the SCA
The SCA creates a private cause of action against whoever violates its provisions. 18 U.S.C. § 2707.
Unlike the CFAA, with which it arguably overlaps, the SCA does not require that the plaintiff’s damages
exceed $5,000 in any one year to authorize a claim. See 18 U.S.C. 1030(g); (c)(4)(A)(i)(I)–(V).
Employees have invoked the SCA to sue employers who invade employees’ privacy by snooping around
their social media Web pages. See generally, Catherine Crane, Social Networking v. the Employment-atWill Doctrine: A Potential Defense for Employees Fired for Facebooking, Terminated for Twittering,
Booted for Blogging, and Sacked for Social Networking, 89 Wash. U.L.R. 639 (2012) (discussing cases).
A recent New Jersey case shows that the SCA protects social media subscribers against such snooping —
but only under some circumstances. Ehling v. Monmouth-Ocean Hosp. Serv. Corp. (D.N.J. Aug. 20, 2013).
Ehling’s Facebook Post
Plaintiff Deborah Ehling was a nurse and paramedic employed by Monmouth-Ocean Hospital. Following
a violent incident at the Washington, D.C., Holocaust Museum, she posted the following statement on
Facebook:
An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning
and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He
survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU
THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other
guards ... go to target practice.
Ehling, 2013
Ehling’s privacy settings limited access to her “wall” to her 300-odd Facebook friends. The friend list
included many co-workers but no hospital managers. Unbeknown to Ehling, one of her Facebook
“friends,” Ronco, took a screenshot of her wall and sent it to a hospital manager he had befriended.
Concerned hospital management temporarily suspended Ehling with pay because her post “reflected a
‘deliberate disregard for patient safety.’” Id. at *3. The hospital eventually terminated Ehling, for various
reasons, but not before she sued the hospital and two of its managers alleging multiple claims, including
a claim for violation of the SCA related to the Facebook post.
The court rejected Ehling’s SCA claim and granted the defendants’ motion for summary judgment. The
court held that the SCA protected Ehling’s posts, but that an exception applied to defeat that protection.
Id. at 5.
The Stored Communications Act
The SCA criminalizes the conduct of “whoever—
(1) intentionally accesses without authorization a facility through which an electronic communication
service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it
is in electronic storage in such system.”
18 U.S.C. §§ 2701(a).
For definitions, the SCA refers back to the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510–
2522 (“ECPA”). Id. at § 2711. The ECPA broadly defines an “electronic communication service” as “any
service which provides to users thereof the ability to send or receive wire or electronic
communications.” 18 U.S.C. § 2510(15). An “electronic communication” is “any transfer of signs, signals,
writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire,
radio, electromagnetic, photoelectronic or photo-optical system that affects interstate or foreign
commerce.” Id. at § 2510(12). “Electronic storage means—
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the
electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup
protection of such communication.”
Id. at § 2510(17).
The ECPA and the SCA do not define “backup protection.”
Some exceptions apply. “It shall not be unlawful ... [to] access an electronic communication ... that is ...
readily accessible to the general public.” Id. at § 2511(2)(g)(i). Moreover, the SCA “does not apply with
respect to conduct authorized —
(1) by the person or entity providing a wire or electronic communications service; [or]
(2) by a user of that service with respect to a communication of or intended for that user.”
18 U.S.C. § 2701(c).
A “user” is “any person or entity who—
(A) uses an electronic communication service; and
(B) is duly authorized by the provider of such service to engage in such use.”
18 U.S.C. § 2510(13).
Ehling’s Facebook Posts Fell Under the Aegis of the SCA Because of Her Privacy Settings
The court held that the SCA protects Facebook posts “that are configured to be private” because these
posts meet the four SCA criteria that the court distilled from the statutes. Namely these posts are “(1)
electronic communications, (2) that were transmitted via an electronic communication service, (3) that
are in electronic storage, and (4) that are not public.” Ehling, 2013.
The court cited the plain meaning of 18 U.S.C. §§ 2510(12), (15) to hold that Facebook posts are
electronic communications transmitted via an electronic communication service.
Significantly, the court invoked the ECPA’s “backup” provision to hold that “Facebook wall posts are in
electronic storage.” Id. at *7 (citing 18 U.S.C. § 2510(17)(B) and California law). The court held that wall
posts are not held in “temporary, intermediate storage” and, therefore, did not qualify for SCA
protection under 18 U.S.C. § 2510(17)(A). But the court held that “[b]ecause Facebook saves and
archives wall posts indefinitely, the court finds that wall posts are stored for backup purposes,” are,
therefore, “in electronic storage,” and thus are qualified for protection under 18 U.S.C. § 2510(17)(B). Id.
Finally, the fact that Ehling’s Facebook privacy settings restricted access to just her Facebook friends
meant that these posts were “not accessible to the general public,” irrespective of the number of
friends. Id. at *8. For these reasons, Ehling’s posts fell under the aegis of the SCA and were, therefore,
protected. Id.
The SCA’s Authorized-User Exception Applied to Ehling’s Facebook Posts
The Ehling court next held that access to Ehling’s post was “authorized” because the facts showed that
Ronco had acted at his own initiative and without any direction or inducement from Hospital
management. Id. at **2, 9 (citing 18 U.S.C. § 2701(c)). Ronco was a “user” as that term is defined in the
ECPA because Ehling added him as a Facebook friend. Id. at *10 (citing 18 U.S.C. § 2510(13)). Moreover,
Ehling’s post was “intended” for her friends, including Ronco. For these reasons, the court held that
Ehling’s post fell under the user exception of the SCA and, therefore, Ehling’s claim was denied. The
court granted defendants’ motion for summary judgment. Id.; 18 U.S.C. § 2701(c).
Ehling is only one of a handful of cases that address whether the SCA applies to social media posts.
Ehling, 2013. It is a significant case if only for this reason. Ehling’s holding means that employees’ social
media posts (to sites such as Facebook and MySpace) are protected from employers’ scrutiny, provided
that privacy settings allow only friends to read the posts, and these friends do not voluntarily
communicate the posts to employers.
Ehling clarifies the issue left unanswered by Konop and Pietrylo, namely that employers can rely on
publicly available website information when they make employment decisions. Konop v. Hawaiian
Airlines Inc., 302 F.3d 868 (9th Cir. 2002); Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (FSH),
(D.N.J. Sept. 25, 2009).
In Konop, the Ninth Circuit held that the SCA’s § 2701(c)(2) liability exception was inapplicable to an
employer who obtained access to an employee’s private and password-protected website through
another employee who was not a user of the site. Konop, 302 F.3d at 880. The other employee was
eligible to join the website, but had not and, therefore, was not a “user” who could grant access to the
employer. Id.
Similarly, the Pritrylo court held that an employer’s access to an employee’s private website is not
authorized when the employer pressures a coworker to provide the latter’s log-in information. Pietrylo,
2009. Ehling confirms that an employer can avoid SCA liability when it gains access to information on a
private website when one of the website’s users voluntarily provides this information.
Of course, employment decisions remain subject to the various preexisting limitations that apply when
using any information against an employee. Employers must not unnecessarily infringe on employees’
Section 7 rights under the National Labor Relations Act to gripe about terms and conditions of
employment. Assuming that an employee is not engaging in such protected conduct, however, a
company may discipline an employee whose unprofessional posts dilutes the company’s image if the
employer obtains the information without coercion.
Beyond the facts in this case, it logically follows that employers are free to impose electronic-usage
policies that grant employers consent to monitor, for legitimate purposes, all social media activity
carried on through company-owned hardware. Employers should be able to use this media activity to
make employment-related decisions under the protection of the SCA’s “authorized user exception.”
The interesting case will be the one where an employee has granted the employer blanket consent to
monitor the employee’s social media activity, and the employer obtains access to a password-protected
private social media website. Will the courts decide Konop and Pietrylo against the employee under this
fact pattern?
Ehling might not be the last word on the important issue of employer access to private employee
websites. Beyond new fact patterns that will inevitably arise as Internet-based social media evolve and
take-on new forms, the Ehling court’s reliance on the ECPA’s “backup” provision to hold that Facebook
wall posts are in electronic storage is not without its detractors. See 18 U.S.C. § 2510(17)(B). At least one
commentator has argued that the analysis in one of the cases that the court indirectly cited was “quite
implausible and hard to square with the statutory text.” Kerr, supra, at 1217−18 and n.61 (citing Theofel
v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003)).
Arguably, Kerr has a point. As noted, the SCA does not define “backup protection” and a software-savvy
attorney might question how a new Facebook post meets the text and intent of 18 U.S.C. §§ 2701(a) and
2510(17)(B). The wall posts that Facebook friends see are not “backups” in the software sense of the
term, but older posts are according Ehling’s holding. Ehling, 2013 (new wall posts are “immediately
saved to a Facebook server” and earlier posts are “‘eventually archived’”) (citing Crispin v. Christian
Audigier Inc., 717 F. Supp. 2d 965, 990 n.51 (C.D. Cal. 2010)). Ehling stands for the proposition that
because Facebook eventually preserves post backups, new and old posts fall under the ambit of the
SCA’s § 2510(17)(B) — even though new posts are not “backups.”
Be that as it may, Ehling is the law in the District of New Jersey and its message to employers and
employees is clear. Employers might want to approach employees’ social media pages with caution, and
employees wanting to post substantive messages might want to choose their privacy settings — and
their “friends” — very carefully.
—By Dr. Pierre Grosdidier, Haynes and Boone LLP
Dr. Pierre Grosdidier is an associate in Haynes and Boone’s business litigation practice group in Houston,
Texas. He specializes in complex commercial litigation, especially lawsuits and arbitrations with strong
engineering or software elements. He has litigated cases involving software copyrights, CFAA claims, and
an SCA claim. Prior to practicing law, Pierre worked 18 years in the process control industry. He holds a
Ph.D. from Caltech and a J.D. from the University of Texas. He is a member of the State Bar of Texas and
a registered professional engineer in Texas (inactive). Pierre thanks Haynes and Boone’s labor and
employment partner Matt Deffebach for his insightful comments regarding this article.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its
clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general
information purposes and is not intended to be and should not be taken as legal advice.
All Content © 2003-2013, Portfolio Media, Inc.