1. No category

Gnarly Surfing, Dude - American Bar Association

 Gnarly Surfing, Dude: Risks Arising When Employers Surf the Internet to Monitor Employees’ Off‐Duty Conduct Using Social Media At‐Will Employment Subcommittee ABA Employment Rights & Responsibilities Mid‐winter Meeting March 24, 2010 Paul E. Starkman A R N S T EI N & L E H R LLP 120 S O UT H R I V E RS I D E P LA ZA | S UIT E 1200 C H I C A G O , I L 6 06 06 P 3 12 . 8 76 . 789 0 | F 3 12. 8 76 . 028 8 [email protected]
PANEL
Paul E. Starkman
Chair, Labor & Employment
Law Practice Group
Arnstein & Lehr LLP
120 S. Riverside Plaza
Suite 1200
Chicago, IL 60606
(312) 876-7890
[email protected]
Tracey Wik
Mile 36 Enterprises
Chicago, IL
J. Linsay Johnston
Comcast
Oaks, PA
Steve Serratore
Serratore Law
Pasadena, CA
8901858.1
2/22/2010
TABLE OF CONTENTS
I.
Statistics on Social Networking and Employer Monitoring Efforts .................. 1
A. General Use of Social Networking Is Increasing Exponentially ..................... 1
B. Businesses’ Use of Social Networking Growing ............................................. 1
II.
Employers’ Monitoring of Employee Internet Usage Has Increased ................ 2
A. Employer Concerns of Employee Social Networking Have Grown................ 2
B. Employers Generally Have No Duty to Monitor Employees’ Off-Duty Social
Networking, But Most Do. .................................................................................. 2
C. In the Past Decade, the Percentage of Employers Monitoring Employee
Internet Use Skyrocketed by More than 45%. .................................................. 2
D. Most American Employers Have Electronic Communications Policies. ....... 3
III.
Employers’ Reasons for Monitoring Employees’ Off-Duty Internet Usage and
Social Networking: ................................................................................................ 3
A. Monitoring To Prevent Reputational Damage from “Bad Employee” Blogs
and Postings ....................................................................................................... 3
B. Monitoring To Prevent Cyber-Slander .............................................................. 5
C. Anonymous Posts Do Not Guarantee Protection from Detection.................. 5
D. Monitoring For Breaches Of Restrictive Covenants........................................ 6
E.
Monitoring to Prevent “Cyber-smearing,” “Cyber-stalking” and “Cyberharassment.”....................................................................................................... 7
1) Employees may be Discharged for Cyber-threats Sent from Home
Computers Using Company Email Systems ................................................. 7
2) Harassment by Text and Social Networking. ................................................ 8
3) New State Laws Criminalize Online Harassment. ......................................... 9
4) It is Hard to Address Cyber-Slander Through Civil Litigation. .................... 9
F.
Monitoring to Prevent Discrimination............................................................. 10
G. Monitoring to Address Employees’ Disclosure of Confidential Information
........................................................................................................................... 10
1) Social Networking Sites Address Confidential Information and IP in Terms
of Service........................................................................................................ 11
H. Monitoring to Prevent Improper “Friending,” Endorsements, and LinkedIn
Recommendations ........................................................................................... 12
1) Ethical Rules for Attorneys and Judges. ..................................................... 12
2) The FTC’s Endorsement Guides................................................................... 12
i
8901858.1
2/22/2010
I.
Screening Job Applicants’ Blogs, Social Networking Profiles, and Video
Posts.................................................................................................................. 13
1) The Potential Pitfalls for Employers from Screening Job Applicants’
Social Networking.......................................................................................... 13
IV.
The Potential Pitfalls for Employers Monitoring Employees’ Off-Duty Internet
Usage and Social Networking ............................................................................ 16
A. NLRB Issues. .................................................................................................... 16
1) Policies Barring Worker Criticism of Employer May Cause Labor
Problems. ....................................................................................................... 16
B. Invasion of Privacy Claims .............................................................................. 17
1) Employees’ Reasonable Expectation of Privacy and Employers’
“Offensive” Intrusion..................................................................................... 17
C. Federal Laws Affecting Employer Monitoring of Off-Duty Social Networking.
........................................................................................................................... 17
1) The Federal Electronic Communications Privacy Act (“ECPA”). .............. 17
2) The Stored Communications Act. ................................................................ 20
3) State Laws ...................................................................................................... 25
4) Attorney-Client Privilege Issues and Monitoring Emails............................ 26
V.
Practical Considerations and Best Practices. .................................................. 29
VI.
What the Future Holds for Employer Monitoring of Employee Off-Duty
Internet Usage ..................................................................................................... 33
SUPPLEMENTAL MATERIALS
Databases with Sample Social Networking/Blogging Policies and Guidelines ..... 35
Sample Technology and Electronic Communications Policy ................................. 36
Sample Policy on Monitoring Off-Duty Internet Usage and Social Networking..... 45
ii
8901858.1
2/22/2010
EMPLOYERS’ MONITORING OF EMPLOYEES’ OFF-DUTY INTERNET USAGE
AND SOCIAL NETWORKING
I.
Statistics on Social Networking and Employer Monitoring Efforts
A.
General Use of Social Networking Is Increasing Exponentially
Facebook advertises that it has 400,000,000 active users.1
There are more than 70 million blogs, with more than 1.4 million entries being added
daily.
Estimates of the number of twitter users range from 14 million to more than 70 million.2
B.
Businesses’ Use of Social Networking Growing
1.
According to Cisco’s 2009 Survey assessing how 97 organizations
in 20 countries use social networking tools:
•
75% of the organizations interviewed primarily use social networks as their
consumer-based social media tool.
•
roughly 50% of the group also extensively used microblogging.3
2.
President Obama, the Pope, and a number of major corporations
such as Comcast, Bank of America, UPS, Wachovia, Southwest
Airlines, Starbucks, Home Depot, Starbucks, Dell, Trader Joe’s,
Rubbermaid, and General Motors, all have official Facebook pages
or corporate Twitter accounts. They use Facebook and Twitter for
communications, recruiting, marketing, customer service, or for
other business reasons.4
3.
31% of American CEOs are on Facebook.
1
Source: http://www.facebook.com/advertising/?src=pf
2
Source: http://blog.taraganer.com/index.php/archive/how-many-twitter-users-are-there/.
3
Source: 2009 Cisco Study on the Business
http://newsroom.cisco.com/dlls/2010/prod_011310.html
Use
of
Social
Networking,
available
at:
4
Dr. Tamara Johnson, Ph.D., Twitter, Facebook and MySpace: Employee Social Networking on
Company Time, cityflight.com (August 31, 2009)
Source: http://cityflight.com/?p=532; Vincent Pascual , Twitter and Employment Law Issues, produced for
a course entitled “Employment Law and Technology,” taught at the University of San Diego School of Law
during Spring Semester 2009 available at: http://socialmedialawstudent.com/twitter/the-first-law-schoolseminar-paper-on-twitter-twitter-and-employment-law-issues/#fn-1792-1
1
II.
Employers’ Monitoring of Employee Internet Usage Has Increased
A.
Employer Concerns of Employee Social Networking Have Grown.
•
55% of employees admit to visiting social networking sites during work hours
according to a Deloitte LLP 2009 survey.5
•
74% of managers surveyed believe social networking sites put the firms and their
brand at risk. 15% consider the risks of social networking sites at the boardroom
level, but only 17% have risk mitigation policies or programs in place.
•
60% of managers believe they have the “right to know” what their employees are
saying about the company on the employees’ personal (and private) social
networking web pages, according to the Deloitte 2009 Social Networking Survey.
B.
Employers Generally Have No Duty to Monitor Employees’ Off-Duty
Social Networking, But Most Do.
Employers normally are not legally required to monitor their employees’ internet
activities, particularly off-duty activity using personally-owned equipment and systems.6
C.
In the Past Decade, the Percentage of Employers Monitoring
Employee Internet Use Skyrocketed by More than 45%.
When it comes to workplace computer monitoring, North American employers are
primarily concerned about inappropriate web surfing.
•
66% of the employers in the survey stated that they watched workers’ Internet
connections.
•
Another 45% stated that they tracked content, keystrokes, and time spent at the
keyboard.
•
An additional 43% of employers stated that they monitored employee e-mail,
either using software to review email automatically (73%) or assigning an
individual to manually read and review workers’ messages (40%).
•
12% of bosses regularly monitor the blogosphere.
5
Source: Social Networking and Reputation Risk in the Workplace” Deloitte LLP 2009 Ethics &
Workplace Survey (“Deloitte 2009 Social Networking Survey”).
http://www.deloitte.com/dtt/cda/doc/content/us_2009_ethicsworkplace_survey_150509.pdf.
6
See, e.g., Doe v. XYC Corp., 887 A.2d 1156, 1162 (N.J. Super. Ct. App. Div. 2005) (“The duty to
monitor employee’s internet activities does not exist.”).
2
8901858.1
2/22/2010
•
another 10% keep an eye on social networking sites to determine what
employees, disgruntled ex-employees, competitors, customers, critics, fans, and
others are posting about the company, its people, products, and services.
•
13% of businesses retain instant messenger chat.7
•
24% of U.S. employers have had e-mail subpoenaed by courts, and another 15%
have gone to court to battle lawsuits triggered by employee e-mail.8
D.
III.
Most American
Policies.
Employers
Have
Electronic
Communications
•
84% of U.S. employers have policies governing email use.
•
81% of organizations have policies on Internet use. 9
•
Over 80% of companies that monitor employee communications notify their
employees about the possibility of monitoring.10
Employers’ Reasons for Monitoring Employees’ Off-Duty Internet Usage
and Social Networking:
A.
Monitoring To Prevent Reputational Damage from “Bad Employee”
Blogs and Postings
The Burger King Employee Bath in Work Sink YouTube Video: In August 2008, a
YouTube video of a Burger King employee taking a bath in a sink at work while others
watched and while a manager counted money nearby. The video was posted on
MySpace and someone sent it to the health department. The health department was
not happy. All the employees involved were later fired, but Burger King had to endure
the bad publicity and issue a public apology.11
7
2007 Electronic Monitoring and Surveillance Survey from American Management Association (AMA)
and the ePolicy Institute (Results reported at: http://www.amanet.org/training/articles/The-Latest-onWorkplace-Monitoring-and-Surveillance.aspx).
8
2006 Workplace E-Mail, Instant Messaging & Blog Survey from American Management Association and
The ePolicy Institute.
9
2005 American Management Association Survey on Employer Monitoring
www.amanet.org/press/amanews/ems05.htm.
10
Adam C. Losey, Clicking Away Confidentiality: Workplace Waiver of Attorney-Client Privilege, 60 Fla. L.
Rev. 1179, 1181 (2008)(citing Ericka Chickowski, Monitoring Employee Internet Usage, PROCESSOR, at
29, 29 (Apr. 14, 2006) and Kyle Schurman, E-mail & Your Legal Rights, SMART COMPUTING, July
2001, at 140, 140–41).
11
http://www.youtube.com/watch?v=a1iyN7Y-jJQ
http://www.foxnews.com/story/0,2933,402264,00.html
3
8901858.1
2/22/2010
“KFC Moments” MySpace Posting: In December 2008, 3 KFC female employees
used a KFC sink as a hot tub, took sexy pictures in their bathing suits, and posted it on
MySpace. According to one article, the album was called “KFC Moments”. Apparently,
the privacy settings weren’t on. The girls were fired, but not before the incident was
immortalized on YouTube and other sites.12
U.S. Capitol Police “Make It Rain Foundation for Underprivileged Hoes” Facebook
Group: In April 2009, the U.S. Capitol Police members were investigated for being part
of a Facebook group degrading women. Someone tipped off the US Capital Police and
also the Washington Post. The group was called “Make it Rain Foundation for
Underprivileged Hoes” and had 1,750 members. The “let it rain” phrase referred to
tossing money up over strippers and letting it “rain” down. The Post found Facebook
pictures and links to that group for three of the nine officers that were alleged to be
involved. Two of the three men wore something identifying them as Capitol Police –
one in uniform and another in a Capitol Police T-shirt. Later the Facebook pages were
taken down. Some of the men were also alleged to be part of another “Passed out in
Trashcans” Facebook group. The investigation was announced April 23, 2009 but no
resolution has been reported.13
The Julie/Julia Project Blog. On the first day of the Blog written by Julie Powell, the
subject of the movie “Julie and Julia,” she posted this, which includes a link to the
company that employed her:
Government drone by day, renegade foodie by night. Too old for theatre, too
young for children, and too bitter for anything else, Julie Powell was looking for a
challenge. And in the Julie/Julia project she found it. Risking her marriage, her
job, and her cats’ well-being, she has signed on for a deranged assignment.14
Later she posted this:
http://consumerist.com/2008/08/burger-king-employee-takes-bath-in-sink-feels-wrath-of-healthdepartment.html
12
Here are links with pictures:
http://images.google.com/images?hl=en&safe=off&client=firefox-a&rls=org.mozilla:enUS:official&hs=nt3&q=KFC+employees+sink&oq=&um=1&ie=UTF8&ei=OGBzS9TKHIKMtAOr78X8BQ&sa=X&oi=image_result_group&ct=title&resnum=4&ved=0CB8QsA
QwAw
http://www.nydailynews.com/news/national/2008/12/11/2008-1211_kentucky_fried_chicken_trio_photographed.html
http://www.youtube.com/watch?v=LpAXRt4TVgM
13
http://www.washingtontimes.com/news/2009/apr/22/capitol-police-probe-officers-facebook-pages/
http://www.washingtontimes.com/news/2009/apr/23/capitol-police-chief-vows-action/
14
Link: http://blogs.salon.com/0001399/2002/08/25.html
4
8901858.1
2/22/2010
For a week now the Project has forged on through several circles of hell -- the
Moving Hell, the September 11th Anniversary Week at Downtown Development
Agency Hell, the Soul-Sucking Dead-End Job Hell.
B.
Monitoring To Prevent Cyber-Slander
Courtney Love’s tweets about her former fashion designer, Dawn Simorangkir, resulted
in the filing of a libel claim against Love in Los Angeles Superior Court in March 2009.
According to reports, Love tweeted that Simorangkir was a “nasty, lying, hosebag thief”;
having “a history of dealing cocaine”; having “lost all custody of her child”; and, being
guilty of “assault and burglary.” Love also said the designer would be “hunted til your
[sic] dead.” Love then allegedly posted on a fashion site where Ms. Simorangkir sells
her clothes: “The nastiest lying worst person I have ever known … evil incarnate, vile
horrible lying bitch.” Simorangkir seeks punitive damages, citing that Love’s comments
have destroyed her reputation and her business. The court papers stated Love’s tweets
occurred because she was furious that Ms Simorangkir stopped working for her after
Love failed to pay her bill and that this led to “an intense level of animosity … well
beyond what any reasonable person would consider acceptable behavior.”15
C.
Anonymous Posts Do Not Guarantee Protection from Detection
Whole Foods CEO Blogging: The anonymous blog postings of the CEO of Whole
Foods disparaging a smaller competitor Wild Oats prior to Whole Foods’ acquisition of
Wild Oats were cited in a lawsuit filed by the FTC in 2007 to stop the acquisition as
being anticompetitive. Between 1999 and 2006, Whole Foods CEO John Mackey
posted anonymous messages on Yahoo! financial message boards about his own
company, and smaller rival Wild Oats, using the pseudonym Rahodeb (his wife
Deborah’s name spelled backwards, with the h and r at the end swapped). Mackey
disparaged the management of Wild Oats and questioned why any company would be
interested in acquiring the Whole Foods competitor. In addition to being cited in the
FTC’s lawsuit, the SEC also investigated Mackey’s postings to see whether he was
trying to manipulate Wild Oats’ stock before the acquisition, but decided not to pursue
any action in 2008.16
Dooced: Heather Armstrong was a blogger who is credited with coining the term
“dooced,” which means to lose your job for blogging. Armstrong used her blog
Dooce.com to complain about her boss and obnoxious coworkers. While she kept the
name of her employer a secret, never revealing the name of the software company that
15
Reported at: http://abcnews.go.com/Entertainment/AheadoftheCurve/story?id=7219953 with link to
complaint filed against Love); Andrew Johnson and Ian Griggs, Love’s Online Spat Sparks First Twitter
Libel Suit, The Independent, March 29, 2009, http://www.independent.co.uk/news/media/online/lovesonline-spat-sparks-first-twitter-libel-suit-1656621.html.
16
Reported at: http://industry.bnet.com/food/100063/whole-foods-mackey-back-to-blogging-after-sec-
probe/
5
8901858.1
2/22/2010
employed her, one reader figured out where Armstrong worked and sent an e-mail to
Armstrong’s employer about her blog. Armstrong was fired immediately.17
The Delta Flight Attendant Blog: Delta Air Lines flight attendant Ellen Simonetti was
fired, she said, for what her supervisor called a misuse of uniform. Simonetti had posted
on her personal blog, Queen of Sky (now called Diary of a Fired Flight Attendant),
pictures of herself, in her uniform, on an empty plane. Her blog also contained thinly
veiled work stories. The airline terminated her, and she later sued for discrimination,
arguing that male employees were not disciplined for postings on their blogs. Ellen
Simonetti, Perspective: I was Fired for Blogging, News.com (December 16, 2004);
Simonetti v. Delta Airlines, Inc., U.S. District Court, No. 1:05-cv-2321 (N.D. Ga. 2005).
D.
Monitoring For Breaches Of Restrictive Covenants
Employer’s investigation of employee’s breach of fiduciary duty lead to employee
suit for invasion of privacy: Employee came out ahead by $1.1 million before
attorneys’ fees.
Lawlor v. North American Corp. (Ill. Cir. Ct. 2009). Kathy Lawlor brought a breach of
contract (for unpaid commissions) and an invasion-of-privacy lawsuit against her former
employer, Glenview-based North American Corp. of Illinois, because the company hired
a private investigator after Lawlor left North American in 2005 to see if she was stealing
customers. The investigator obtained her phone records without her authorization,
which is known as "pretexting," and turned them over to the company executives. A
Cook County (Illinois) jury found that North American had invaded her privacy and
ordered the company, a business services firm, to pay her $1.8 million. On Oct. 19,
2009, the judge sided with the company in its separate claim against Lawlor for anticompetitive conduct and ordered Lawlor to give back $78,781 in commissions she had
earned, as well as to pay $551,467 in punitive damages. Bottom line: Lawlor came out
ahead by about $1.1 million before she pays her attorneys and taxes. The two sides are
still squabbling over both rulings, so it's too early to say if the outcome will stand.18
Starbucks Used Internet Searches to Monitor Compliance With Non-Compete And
Sued To Block Exec From Joining Rival Dunkin' Donuts
In 2009, Starbucks filed the lawsuit in U.S. district court in Seattle against Paul Twohig,
who oversaw the company’s retail operations in the Southeast before joining Dunkin’
Donuts.
Starbucks accuses Twohig of breaching an 18-month, non-compete
agreement. Twohig was responsible for developing Starbucks’ brand for thousands of
retail stores before he left Starbucks. Using periodic Internet searches, Starbucks
discovered that Twohig had accepted a position with Dunkin’ Donuts as its brand
operations officer. Starbucks then sued. Starbucks and Twohig settled with Starbucks
17
(Source: Urban Dictionary: http://www.urbandictionary.com/define.php?term=dooced
18
Lawlor
v.
North
American
Corp.
(Ill.
http://www.morelaw.com/verdicts/case.asp?n=&s=IL&d=41817)
6
8901858.1
2/22/2010
Cir.
Ct.
2009)(Reported
at
reducing Twohig’s 18-month non-compete to 10 months and Twohig agreeing to pay
Starbucks $500,000.19
E.
Monitoring to Prevent “Cyber-smearing,” “Cyber-stalking” and
“Cyber-harassment.”
Employers can be liable for on-line harassment of employees by co-workers, particularly
if the employers knew or should have known about the harassing communication. In
Blakey v. Continental Airlines, Inc., 751 A.2d 538 (N.J. 2000), an employee sued
Continental Airlines over derogatory comments made on a company electronic
message board and the New Jersey Supreme Court reversed summary judgment for
the employer, stating that the message board had sufficient connection to the employer
that, if it had actual or constructive notice of the postings, it could be liable for hostile
work environment. 20
In February 2009, three police officers in Harrison, N.Y., were suspended after they
allegedly made lewd remarks about the town mayor on a Facebook account. The
officers mistakenly thought the remarks were protected with a password, but city
officials viewed the page, said Harrison police chief David Hall. The remarks about
Mayor Joan Walsh might have violated the officer's code of conduct. Mr. Hall said the
town board was considering firing the officers. The policemen have asked a federal
judge in White Plains, N.Y., to limit the town of Harrison's inquiry into the online
postings, citing privacy concerns, but no resolution was reported.21
1)
Employees may be Discharged for Cyber-threats Sent from
Home Computers Using Company Email Systems
In Smyth v. Pillsbury, 914 F. Supp. 97 (E.D. Pa. 1996), the employee's termination was
upheld by the court, even though the company had a policy of allowing e-mail use for
personal communications. Smyth asserted that the company had assured employees
that it would respect the confidentiality of e-mail communications; specifically, that email would not be intercepted or used as grounds for termination. He further alleged that
he received an e-mail on his home computer from a supervisor and exchanged
communications with him that disparaged company management and could be taken as
potential threats to it. These were monitored and Smyth was discharged. He claimed
that his discharge violated the state’s public policy by infringing on his right to privacy.
The district court rejected his claim in part because:
19
Reported at: http://www.nrn.com/breakingNews.aspx?id=375036. Tim McLaughlin, Boston Business
Journal (Wednesday, October 7, 2009, 5:29pm EDT).
20
See Jones v. R.R. Donnelley & Sons Co., 1999 WL 33257839 (N.D. Ill. 1999) (race discrimination claim
based in part on 165 offensive jokes transmitted through e-mail system); Curtis v. Citibank, 1998 WL
3354 (S.D. N.Y. 1998) (racist e-mail).
21
Dionne Serarcey, Employers Watching Workers Online Spurs Privacy Debate, WSJ.com April 23,
2009). Source: http://online.wsj.com/article/SB124045009224646091.html.
7
8901858.1
2/22/2010
•
“[o]nce plaintiff communicated the alleged unprofessional comments to a second
person (his supervisor) over an e-mail system which was apparently utilized by
the entire company, any reasonable expectation of privacy was lost” and
•
“the company’s interest in preventing inappropriate and unprofessional
comments or even illegal activity over its e-mail system outweighs any privacy
interest the employee may have in those comments.”22
2)
Harassment by Text and Social Networking.
Employers should be aware of the possibility that employees (including managers and
supervisors) might post offensive language or pictures on social networking sites that
can be viewed by co-workers and clients. These off duty postings can create an
actionable hostile environment at work.
In one sexual harassment suit in Connecticut against World Wrestling Entertainment
Inc., a former licensing coordinator the married, senior director of the company's
consumer products division made sexual advances via late-night texts and phone calls.
D'Angelo v. World Wrestling Entertainment, Inc., Case No. 3:08-CV-01548 (D. Conn.
2008).
In another case, four waitresses at Famous Dave's restaurant in Kanawha County, W.
Va., also relied on text messages to bolster sexual harassment claims against a
supervisor last year, alleging, among other things, that he sent text messages asking for
sexual favors. Zeigler, et al. v. Famous Dave’s, et al., 2008 WLNR 4723590.
In January, 2009, two women in Ohio used texts to secure a $495,000 settlement in a
sex scandal that led to the resignation of state Attorney General Marc Dann. The texts
to help show that they were placed in situations that made the AG's office a hostile work
environment. In one case, one of the women produced a text message that said she
was "in a weird situation" and needed a ride home from Dann's apartment one night.23
In April 2009, text messages helped two female soccer players who accused their
coach of sexual harassment secure $450,000 in settlement from Central Michigan
University. The players alleged that their coach manipulated them into having secret
sexual relationships with him. The coach, Tony DiTucci, maintained he was innocent,
claiming the two students had made suggestive romantic advances toward him, and
that he reported it to his supervisors. However, the coach had sent the players
inappropriate text messages, which helped settle the claims.24
22
914 F. Supp. at 101.
23
Tresa Baldas, In the Heat of the Moment, National Law Journal, ALM Media, Inc., July 20, 2009.
24
Id.
8
8901858.1
2/22/2010
3)
New State Laws Criminalize Online Harassment.
Texas recently enacted a law, effective September 1, 2009, that criminalizes online
harassment, stalking and “spoofing.” Texas joins other states that have enacted similar
legislation, including Nevada,25 New York26 and Tennessee.27
Although the Texas law uses the term “online harassment,” it prohibits online
impersonation with the intent to cause harm, i.e., the unauthorized use of another’s
name or persona to create a web page, or to post one or more messages on a
commercial social networking site, with the intent to defraud, harm, intimidate or
threaten another person. This offense is a third-degree felony, punishable by two to ten
years imprisonment and a fine not to exceed $10,000.
The law also criminalizes the unauthorized transmission of an electronic communication
(e.g., e-mail, text message, or instant message) using another person’s identifying
information (e.g., name, domain address, phone number, etc.) with the intent of causing
(a) the recipient to believe the sender was the other person, and (b) harm to any
person. This offense is a Class A misdemeanor, punishable by up to one year of
imprisonment and a fine not to exceed $10,000.
The Texas statute, and similar laws in other states, are designed to address situation
when disgruntled former employees “spoof” a hated supervisor or executive by posting
a phony social networking profile or by sending fake e-mail communication to other
employees. These spoofs often are defamatory, but it is often difficult to uncover the
identity of the perpetrator(s) or obtain any relief through civil litigation.28
4)
It is Hard to Address Cyber-Slander Through Civil Litigation.
Blockowicz v. Ramey, 2009 U.S. Dist. LEXIS 118599 (N.D. Ill. Dec. 21, 2009) illustrates
the difficulties involved in addressing cyber-slander through the courts. The plaintiffs in
Blockowicz v. Ramey were victims of online defamation on social networking and other
websites. They successfully obtained a default judgment against the defendants and an
injunction to remove the defamatory material. All but one of the third-party networking
sites voluntarily removed the defamatory material. However, when the plaintiffs went
back into court to force the last site (Xcentric) to comply with the injunction, the judge
refused to enjoin Xcentric because it found the third-party site did not act in concert or
aid in the posting of the defamatory comments since its Terms of Service prohibited the
posting of defamatory material on the site.29
25
NRS 200.575 effective October 1, 2009, text available at: http://www.leg.state.nv.us/NRS/NRS200.html#NRS200Sec575).
26
Text of New York law available at: http://assembly.state.ny.us/leg/?bn=A08193).
27
Tennessee law available at http://state.tn.us/sos/acts/106/pub/pc0347.pdf).
28
Available at: http://www.legis.state.tx.us/tlodocs/81R/billtext/html/HB02003F.htm.
29
Blockowicz, 2009 U.S. Dist. LEXIS 118599, at *6-9.
9
8901858.1
2/22/2010
F.
Monitoring to Prevent Discrimination
Former Senator George Allen (R-VA) made an off-hand racist remark (“Macaca”) to his
opponent’s cameraman, who was of Indian descent.30 His remark was recorded and
posted to YouTube, where it may have contributed to his narrow defeat to Democrat Jim
Webb.31
G.
1.
Monitoring to Address Employees’ Disclosure of Confidential
Information
On February 4, 2010 at 10:10 am ET, Dow Jones Newswires reported that:
Royal Dutch Shell PLC (RDSB.LN) data containing the contact details of tens of
thousands of employees, which the company said could compromise their
personal safety, has been leaked to a blogger critical of the company, according
to emails seen by Dow Jones Newswires.
The data, which includes mobile numbers and home postcodes of workers in
dangerous locations.32
2.
In 2009, U.S. Congressman Pete Hoekstra (R-Mich) got into trouble after he
twitted about his exact whereabouts while traveling in Iraq.33 The Pentagon has
ordered a review of the use of Twitter and other electronic devices in this fashion.34
3.
Employees’ disclosure of confidential information on social networking sites and
to the Press can be a legitimate basis for termination.
In Tides v. The Boeing Co., 2010 WL 537639 (W. D. Wash. Feb. 9, 2010),
a federal judge ruled that Boeing’s termination of fired two auditors for
leaking information to a newspaper did not violate the whistleblower
protections of the Sarbanes-Oxley Act.
30
Tim Craig & Michael D. Shear, Allen Quip Provokes Outrage, Apology, The Washington Post, August
15, 2006, http://www.washingtonpost.com/wp-dyn/content/article/2006/08/14/AR2006081400589.html.
31
More Than Fine, The Top 5 Viral Videos That Changed Someone’s Life (For the Worse),
http://nomorequo.blogspot.com/2007/04/top-5-viral-videos-that-changed.html (last visited May 14, 2009);
Vincent Pascual , Twitter and Employment Law Issues, produced for a course entitled “Employment Law
and Technology,” taught at the University of San Diego School of Law during Spring Semester 2009
available at: http://socialmedialawstudent.com/twitter/the-first-law-school-seminar-paper-on-twitter-twitter-and-employment-law-issues/#fn-1792-1.
32
Source: http://online.wsj.com/article/BT-CO-20100204712072.html?mod=WSJ_World_MIDDLEHeadlinesMideast
33
Helen A.S. Popkin, Twitter Gets You Fired in 140 Characters or Less, MSNBC, March 23, 2009,
http://www.msnbc.msn.com/id/29796962/.
34
Kyla King, Congressman Pete Hoekstra’s Twitter Flap Prompts Pentagon Policy Review, MLive,
February 11, 2009.
http://www.mlive.com/news/grand-rapids/index.ssf/2009/02/hoekstras_twitter_flap_prompts.html.
10
8901858.1
2/22/2010
4.
“Pretexting” and poor investigation techniques may undermine employer’s efforts
to protect confidential information and stop leaks
In 2006, Hewlett-Packard hired private investigators to help find the source of
information leaks. HP used poorly conceived investigatory such as digging
through trash, sending fake e-mails loaded with hidden tracking software, and
tailing journalists who were communicating with HP employees. They crossed
the legal line when they used pretexting, or posing as someone else in order to
get phone records. The chairman of HP Patricia Dunn and half a dozen board
members resigned or were fired as a result. Dunn was charged with four
felonies; as was Kevin Hunsaker, the company's senior counsel and chief ethics
officer.35
1)
Social Networking Sites Address Confidential Information and
IP in Terms of Service.
a.
YouTube expressly states in its Terms of Service that it "does
not permit copyright infringing activities and infringement of
intellectual property rights on its Website" and, if such
activities take place, YouTube will remove any infringing
content from the site. YouTube, like most social media sites,
states in its Terms of Service that the company reserves the
right to make the call whether content is infringing or not and
reserves the right to remove (or not remove) the complainedof content.
b.
Twitter devotes a specific section of its site to copyright
violations (see "Copyright Policy": http://twitter.com/tos),
including designating a specific "Copyright Agent" to receive
DMCA requests in accordance with a specific DMCA
procedure.
c.
Facebook's Statement of Rights and Responsibilities
requires an individual or business signing up for a page on
Facebook to agree among other things, not to "post content
or take any action in Facebook that infringes or violates
someone else's rights or otherwise violates the law." In this
agreement, it is acknowledged that Facebook "can remove
any content or information" if Facebook believes it violates
provisions of the Statement. Like the YouTube and Twitter
policies described above, Facebook provides separate
35
Reported at: Hannah Clark, How to Spy (Legally) on Your Employees, Forbes.com (Oct. 26, 2006), link:
http://www.forbes.com/2006/10/25/leadership-hewlett-packard-spying-lead-managecx_hc_1025fiveways.html.
11
8901858.1
2/22/2010
mechanisms for reporting copyright and non-copyright
infringement issues.36
H.
Monitoring to Prevent Improper “Friending,” Endorsements, and
LinkedIn Recommendations
1)
Ethical Rules for Attorneys and Judges.
The Judicial Ethics Advisory Committee of the Florida Supreme Court recently opined
on the ethical issues relating to judges' use of online social networking sites, such as
Facebook. The Committee advised that when judges “friend” lawyers online who may
appear before them, it creates the appearance of a conflict of interest because it
“reasonably conveys to others the impression that these lawyer ‘friends’ are in a special
position to influence the judge.”
The Philadelphia Bar Association Professional Guidance Committee issued its Opinion
2009-02 which held that a lawyer could not ask a “third person” (presumably a paralegal
or office employee) to Facebook-friend a deposition witness so the lawyer could
surreptitiously access the witness’ Facebook page.37
2)
The FTC’s Endorsement Guides.
On October 5, 2009, the FTC released its Final Guides Concerning the Use of
Endorsements and Testimonials in Advertising, which state that the post of a blogger
who receives cash or in-kind payment to review a product is considered an
endorsement and bloggers who make an endorsement must disclose the material
connections they share with the seller of the product or service. Thus, employees’
LinkedIn recommendations and other blogging endorsements of clients, customers,
suppliers and other third parties based on the express or implied promise of
compensation, kickbacks or continued business may result in potential liability for
employers under the FTC’s new rules.38
LinkedIn recommendations may cause other trouble for employers. A supervisor’s
LinkedIn recommendation of a subordinate could become evidence in a subsequent
employment discrimination lawsuit. For instance, an employee who is terminated for
performance reasons may claim that the discharge was discriminatory and the
performance reasons were pretextual by relying upon a LinkedIn recommendation
provided by his/her supervisor as proof that he/she was performing satisfactorily.
36
Available at: http://www.facebook.com/legal/copyright.php?copyright_notice=1.
and http://www.facebook.com/legal/copyright.php?noncopyright_notice=1.
37
Copy of Opinion 209-02 available at:
http://www.philadelphiabar.org/WebObjects/PBAReadOnly.woa/Contents/WebServerResources/CMSRes
ources/Opinion_2009-2.pdf.
38
http://www.ftc.gov/opa/2009/10/endortest.shtm.
12
8901858.1
2/22/2010
I.
Screening Job Applicants’ Blogs, Social Networking Profiles, and
Video Posts
With 400,000,000 million active users on Facebook alone, interviewers are now
scrutinizing job candidates’ social networking profiles and video site postings for an
unfiltered look at the real person behind the resume.
According to a CareerBuilder.com 2009 survey, 45% of the employers polled said
they've researched job candidates via social-networking sites like Facebook - an
increase from only 22% in 2008.
And 35 percent said the information they found—such as indications of drug and
alcohol use or provocative pictures or messages—resulted in rejecting a
candidate.39
1)
The Potential Pitfalls for Employers from Screening Job
Applicants’ Social Networking
a.
1.
The Risks of Requiring Access to Applicants’ Social
Networking Sites.
The Bozeman, Montana Fiasco
January 2009: The City of Bozeman, Montana required all job applicants to not only list
their social networking sites but also provide log in information. The City had
apparently started requiring this three years earlier with fire and police applicants –
supposedly looking for illegal activity – and then expanded it.
The City’s Application Form asked applicants:
“Please list any and all current personal or business Web sites, Web
pages or memberships on any Internet-based chat rooms, social clubs or
forums, to include, but not limited to: Facebook, Google, Yahoo,
YouTube.com, MySpace, etc.” Three lines were provided for applicants to
list log-in information for each site.
The story made worldwide news, prompting lots of internet and media outrage. The
Guardian, a major daily newspaper in London, named the city of Bozeman its “civil
liberties villain of the week” on its Web site.
In June 2009, the City apologized and suspended the policy but didn’t totally eliminate
it. The City later claimed they had only required this information from people that were
39
Source: “Forty-Five Percent of Employers Use Social Networking Sites to Research Job Candidates
CareerBuilder
Survey
Finds”
Wall
Street
Journal
August
19,
2009.
http://bozemandailychronicle.com/articles/2009/06/19/news/10socialnetworking.txt.
13
8901858.1
2/22/2010
going to be offered a job. Note that the city commissioners were never subject to this
policy.40
2.
The Missouri School Superintendant’s Hiring Inquiries.
April 2008: The Washington Post reported that a Missouri school superintendent asks
potential teachers if they have a Facebook or MySpace page. If the candidate says yes,
then the superintendent suggests taking an immediate look at the would-be teacher’s
profile.41
b.
Reasons Why Job Applicants Should Be Discrete About
What They Tweet.
The “Cisco Fatty” story: According to reports, a person offered a job at Cisco tweeted
that “Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck
against the daily commute to San Jose and hating the work.” The “Cisco Fatty” did not
protect her profile or limit access to her tweets. Someone claiming to be a Cisco
associate responded that her Tweet would be passed along to her hiring manager. This
Tweet was taken out of context, according to the Cisco Fatty, because the paycheck
was for an internship she didn’t want and already turned down.42
c.
The Legal Risks for Employers of Using Social
Networking Sites to Screen Applicants
Many hiring managers “Google” applicants or view Facebook profiles to uncover useful
information about job candidates. Some employers/HR personnel engage in “ghosting”
by posing as a random Twitter user interested in an applicant’s tweets or other their
online accounts.43 However, they overlook the potential legal problems that arise from
doing so.
1.
For instance, while an employer cannot legally ask an applicant his/her
age, sexual orientation, religion, national origin, disability status or
personal health information. During a conventional application/interview
process, the employer may unwittingly learn this information by doing a
quick “Google” search. Once an employer has such information, it may
face discrimination claims from applicants who are not hired and contend
40
Source: “Forty-Five Percent of Employers Use Social Networking Sites to Research Job Candidates
CareerBuilder
Survey
Finds”
Wall
Street
Journal
August
19,
2009.
http://bozemandailychronicle.com/articles/2009/06/19/news/10socialnetworking.txt.
41
When Young Teachers Go Wild On The Web (Washington Post April
http://www.washingtonpost.com/wp-dyn/content/article/2008/04/27/AR2008042702213.html.
2008)
:
42
Helen A.S. Popkin, Getting the skinny on Twitter’s ‘Cisco Fatty’, MSNBC, March 27, 2009,
http://www.msnbc.msn.com/id/29901380/.
43
Charles Robinson, Social networking a potential trap for prospects, Yahoo! Sports, April 7, 2009,
http://sports.yahoo.com/nfl/news?slug=cr-socialnetowrking040709.
14
8901858.1
2/22/2010
that the company’s decision was based on the protected factor revealed
by a blog posting, tweet or Facebook profile.
2.
The Equal Employment Opportunity Commission (EEOC) requested
public comment in 2009 on whether employers should be prohibited from
using social- networking sites like Facebook to research job candidates,
since the online searches could reveal information about genetic
information protected under the Genetic Information Nondiscrimination Act
(GINA).44
3.
Similarly, applicants may allege discrimination where the employer only
conducts Google searches on some applicants (for example, minorities),
and not others, or holds certain groups to a higher standard than others
when viewing and considering information on social media sites.
4.
In using such sites, the Fair Credit Reporting Act, 15 U.S.C. § 1681, et
seq., and similar state laws may come into play if information on a social
networking site, such as Facebook, was obtained by a third party
investigator and included in a “consumer report” (i.e., a backgroundcheck) that the employer intends to use in an employment decision. The
FCRA would not prohibit the acquisition or use of the information, but
would require notices and disclosure of the fact that such information was
the basis for the decision.
5.
Facebook, Twitter and other accounts can be faked, so hiring personnel
should not believe everything they see on these sites. There have been
many
lawsuits
like
this
one
from
UK:
http://news.bbc.co.uk/2/hi/uk_news/7523128.stm
To reduce risk in this area, employers are well-advised to prepare and distribute a
comprehensive Internet background search policy and train supervisors in this area. In
addition, employers may have a third-party or “screened” employee conduct any
Internet background checks and send only information relevant to the employment
search to the company’s hiring decisionmakers.
44
(http://edocket.access.gpo.gov/2009/E9-4221.htm. Reported at:
http://www.baerbizlaw.com/category/blog/genetic-information-and-social-media-employers-beware/).
15
8901858.1
2/22/2010
IV.
The Potential Pitfalls for Employers Monitoring Employees’ Off-Duty
Internet Usage and Social Networking
A.
NLRB Issues.
1)
Policies Barring Worker Criticism of Employer May Cause
Labor Problems.
In February 2010, the Newspaper Guild of New York accused Thomson Reuters Corp.
of neglecting to negotiate with the union before cutting the pay of unionized workers and
imposing a policy barring workers from bashing the media giant on Twitter.45
In Register-Guard, 351 NLRB No. 70 (2007), the National Labor Relations Board held
that employees could not use their employer's e-mail system as a matter of right to
engage in union-related activities or union solicitation. On July 7, 2009, the D.C. Circuit
refused to uphold the Board's conclusion as to whether the employer discriminatorily
enforced its email policy but did not explicitly overrule the standard announced by the
Board in December (because on appeal, the union did not challenge the lawfulness of
the email policy), effectively holding that the newspaper in that case did not violate
federal law by issuing a policy banning all solicitations, including union solicitations,
from its corporate e-mail system. However, the D.C. Circuit found the newspaper’s
inconsistent enforcement of its policy demonstrated unlawful discrimination against
union activities because “in practice the only employee emails that had ever led to
discipline were the union-related emails at issue here.”46
In Konop v. Hawaiian Airlines, Inc., the Ninth Circuit had held that surveillance of an
employee’s secure website for utterances protected by the Railway Labor Act
(applicable to airline employees) stated a claim for violation of that Act.47
45
Source: Employment Law360 (Feb. 8, 2010)(reporting on union’s NLRB claim against Reuters):
http://employment.law360.com/registrations/user_registration?article_id=148166&concurrency_check=fal
se
46
Guard Publishing Co. d/b/a The Register-Guard v. NLRB, 571 F.3d 53, 60 (D.C. Cir July 7, 2009). Cf.
Media Gen'l Operations, Inc. v. NLRB, 2007 WL 806023, *3 (4th Cir. 2007) (affirming NLRB decision that
had found an unfair labor practice based on an employer/newspaper's discriminatory enforcement of its email policy's prohibition on non-business uses, where employer had violated the NLRA by "ma[king] no
attempt ... to enforce the policy against any violations other than union messages[, given that t]he re-cord
contains numerous examples of messages unrelated to the work of the newspaper").
47
Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002).
16
8901858.1
2/22/2010
B.
Invasion of Privacy Claims
1)
Employees’ Reasonable Expectation
Employers’ “Offensive” Intrusion
of
Privacy
and
Employer’s Limited Hidden Workplace Surveillance to Uncover Who Viewed
Pornography on Company Computer was Not Sufficiently Offensive.
In Hernandez v. Hillsides, 47 Cal. 4th 272, 211 P.3d 1063, 97 Cal. Rptr. 274 (Cal.
August 3, 2009), an executive director of a non-profit residential facility for abused
children installed hidden cameras in an office shared by the plaintiffs to find out who
was viewing pornographic web sites from a company computer after hours because he
was concerned for the safety of the children at the center. The plaintiffs themselves
were not suspects and were never recorded or videotaped as the recordings only took
place overnight when plaintiffs were away from the office. Nonetheless, plaintiffs sued
Hillsides for invasion of privacy after discovering the hidden camera. Even though the
lower courts found for the plaintiffs, the California Supreme Court reversed because,
based on the specific facts of this case, the employer’s intrusion was not “highly
offensive and sufficiently serious” to constitute a violation of its employees’ privacy
interests since the employer had a compelling reason for the surveillance (protecting the
children at the center), and that the surveillance was limited to recording on three
occasions with the camera pointed only at plaintiffs’ computers, and only after business
hours so that plaintiffs were never actually videotaped.
Other courts have rejected invasion of privacy claims based upon employers accessing
employees’ “personal documents” on company computers where the no privileged
communications with personal attorneys were involved and the companies had clear
monitoring policies. See McLaren v. Microsoft Corp., 1999 WL 339015 (Tex. App.
Dallas 1999) (rejecting claim for invasion of privacy when management had accessed
employee's "personal" folders on a company computer).
C.
Federal Laws Affecting Employer Monitoring of Off-Duty Social
Networking.
1)
The Federal Electronic Communications Privacy Act (“ECPA”)
prohibits the unauthorized interception of wire, oral or electronic
communication.48 An “interception” is defined as the “aural or other
acquisition of the contents of any wire, electronic, or oral
communication through the use of any electronic, mechanical, or
other device.49 Criminal penalties for a violation of the ECPA can
include a fine or imprisonment up to five years.50 Further,
individuals whose communications were intercepted under this
section can bring a civil action against the person or entity who
48
18 USC §§ 2510-2521.
49
Id. § 2510(4).
50
Id. § 2511(4)(a).
17
8901858.1
2/22/2010
engaged in the violation for damages including preliminary or
equitable relief, actual damages, statutory damages amounting to
the greater of $100/day for each day of the violation or $10,000,
punitive damages, and attorney’s fees.51
There are two relevant exceptions to the ECPA: the consent exception and the business
extension exception.
a.
The ECPA’s Consent Exception
Under the EPCA’s “consent” exception, a party to a communication can “consent” to an
otherwise impermissible monitoring of the communication:
It shall not be unlawful under this chapter for a person. . .to
intercept a wire, oral, or electronic communication where
such person is a party to the communication or where of the
parties to the communication has given prior consent to such
interception unless such communication is intercepted for
the purpose of committing any criminal or tortious act. . .52
Thus, employers will not face liability under the ECPA as long as it obtains consent from
at least one of the parties to the communication. Consent under the ECPA can be either
express or implied. One author noted that because the determination of whether there
is implied consent is highly fact-specific, employers should attempt to obtain express
consent in writing.53
Implied consent can be inferred from the surrounding circumstances indicating that the
party knowingly agreed to the surveillance.54 Consent, however, is not “cavalierly
implied.”55
Because the ECPA applies only to the interception of communications before they are
stored and does not apply to the interception of communications that involves the
consent of only one party, employers usually will not face liability under the ECPA for
51
Id. § 2520(a)(c).
52
18 U.S.C. § 2511(2)(d)(emphasis added)
53
Lee, Wrongful Termination Claims: What Plaintiffs and Defendants Have to Know, 651 PLI/Lit at 545.
54
Laughlin v. Maust, 1997 WL 436224 at *5 (N.D.Ill. Aug. 1, 1997) (restaurant employee who was notified
that its main business line would be monitored had impliedly consented to the recording, but employees
who had not been notified had not impliedly consented).
55
Abbott v. Village of Winthrop Harbor, 953 F. Supp. 931 (N.D.Ill. 1996) (fact that plaintiffs heard beep
tones indicative of the “tapped phones” when using the line was insufficient to create “consent”); Deal v.
Spears, 980 F. 2d 1153, 1157 (8th Cir. 1992) (informing employee that he “might” monitor was not
sufficient to obtain “consent”); Watkins v. Berry, 704 F. 2d 577, 579-81 (11th Cir. 1983) (where employer
told employees that personal calls would not be monitored except to the extent necessary to determine
whether a call was personal or business related, monitoring of a personal call might violate ECPA).
18
8901858.1
2/22/2010
monitoring blogs, tweets and other social networking because they involve stored
communications.
b.
The EPCA’s Business Extension Exception
The business extension exception provides an alternative, although less clear-cut,
defense for employers who face liability for monitoring communications under the
ECPA.56 Unlike the consent exception, this exception is not explicitly set forth in the
statute. Rather, courts have based it on the definition of the phrase “electronic,
mechanical, or other device” (an “intercept” requires the use of a “mechanical,
electronic, or other device”). The phrase is defined as:
Any device or apparatus which can be used to intercept a wire, oral, or electronic
communication other than – any telephone or telegraph instrument, equipment or
facility, or any component thereof, i) furnished to the subscriber or user by a
provider . . . in the ordinary course of its business and being used by the
subscriber in the ordinary course of its business or furnished by such subscriber
or user for connection to the facilities of such service and used in the ordinary
course of its business. . . .
Therefore, the exception is derived from the theory that telephone equipment used for
intercepting communications furnished by a subscriber used in the ordinary course of
business is not a “mechanical, electronic, or other device.” If an employer uses such
equipment while monitoring a phone call for business purposes, there is no unlawful
“intercept.” At least one court has held that consent is not a component of this
exception.57 Courts applying the business extension exception have focused on the
kind and source of equipment used to intercept to determine the applicability of the
exception.58 Courts have also addressed the nature of the calls intercepted and
reasons for doing so.59
Monitoring employee communications for training and quality control purposes in the
ordinary course of business would probably be protected under the ECPA’s business
56
18 USC § 2510(5)(a)(i).
57
Arias v. Mutual Central Alarm Svc., Inc., 202 F.3d 553, 559 (2d Cir. 2000).
58
Laughlin v. Maust, 1997 WL 436224 at *3 (recording phone calls through an adapter and recorder
attached to a main business line, where the employer merely recorded, but did not “listen in” and where
the recording device at issue was not provided by the telephone company, did not satisfy the extension);
Watkins v. Berry, 704 F. 2d at 582 (recording device purchased at Radio Shack attached to a phone
extension did not qualify for the extension); Amati v. City of Woodstock, 1997 WL 857493 at * 3 (N.D. Ill.
1997) ( “[A] vast majority of the circuit courts of appeals having [addressed this issue] have held that a
recorder acquired via a third party and attached to a telephone line does not fall within the exemption of
section 2510(5)(a)”).
59
Epps. v. St. Mary’s Hospital, 802 F.2d 412, 416 (11th Cir. 1986). See also Smith v. Devers, 2002 WL
75803 at *3 (M.D. Ala. Jan. 17, 2002) (“It is quite apparent that the complete interception of personal
phone calls of an employee is not and can never be protected behavior under the business-extension
exemption. That exemption allows only the interception sufficient to determine the personal nature of the
call.)
19
8901858.1
2/22/2010
extension exception, as long as the monitoring was does using through equipment
provided by employers’ telephone service provider, and employers refrain from
recording personal calls once they determine that the call is personal.
2)
The Stored Communications Act.
The Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2711, makes it an offense
to “intentionally access a facility through which an electronic communication service is
provided . . . and thereby obtain ... access to a wire or electronic communication while it
is in electronic storage in such system.” It is possible, therefore, that an employer could
face liability under the SCA for accessing an employee external website where that
website is password protected or contains other security measures – and the employer
does so without the employee’s authorization. Like the ECPA, the SCA contains an
exception from potential liability if the conduct is, in fact, authorized by the person using
the service with respect to any communication intended for the user.60
Reviewing Employees’ Private Emails Violated the SCA.
In Van Alstyne v. Electronic Scriptorium Limited, 560 F.3d 199 (4th Cir. 2009), the
Fourth Circuit held that an employer who accessed a former employee's personal e-mail
account without permission could be held liable for punitive damages and attorneys'
fees under the federal Stored Communications Act (SCA), even without proof of any
actual damages, but the SCA’s minimum statutory damages of $1,000 per violation
were recoverable only with proof of actual damages (creating a conflict with district court
decisions in other circuits). The Fourth Circuit noted that Edward Leonard, the
president of Electronic Scriptorium Limited (ESL), gained access to the personal e-mail
account of Bonnie Van Alstyne, ESL's former Vice President of Marketing, and reviewed
her personal e-mail, after she initiated three separate proceedings against ESL
involving employment-related claims. For more than one year after Van Alstyne's
termination, Leonard accessed "Van Alstyne's AOL account at all hours of the day, from
home and internet cafes, and from locales as diverse as London, Paris, and Hong
Kong" and he downloaded 258 different emails from Van Alstyne's personal AOL
account. Van Alstyne learned of Leonard's snooping through discovery in a separate
lawsuit that ESL had filed against Van Alstyne. She then sued Leonard under the SCA
and was awarded more than $400,000 in the trial court, but the Fourth Circuit vacated
and remanded the entire award for reconsideration in light of the appellate court’s
opinion.61
Employers’ Use of Other Employees to Gain Access to Employees’ PasswordProtected and Access-Restricted Social Networking Violated the SCA and State
Law.
In Pietrylo v. Hillstone Restaurant Group, d/b/a Houston’s, a Newark, New Jersey jury
held that the employer, Houston’s Restaurant, violated the federal Stored
Communications Act and the similar New Jersey Wiretapping and Electronic
60
18 U.S.C. § 2701(c)(2).
Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914, 925-26 (W.D. Wis. 2002)(where an
employer and a computer consultant it had hired accessed plaintiff's private Web-based e-mail account,
the court found fact issues precluded summary judgment for defendants).
61
20
8901858.1
2/22/2010
Surveillance Control Act, by secretly monitoring employees’ postings on a private
password-protected Internet chat room. A jury found in favor of the employees,
awarding modest compensatory damages, but adding punitive damages after finding
that the company had acted maliciously. The District court affirmed the jury’s finding in
an unpublished opinion issued on September 25, 2009. Pietrylo v. Hillstone Restaurant
Group, 2009 WL 3128420 (D.N.J. Sept. 25, 2009).
The Pietrylo lawsuit arose after two of the restaurant’s managers accessed a MySpace
chat group maintained by Pietrylo during his non-work hours. The chat group, called the
“Spec-Tator,” could be accessed only via an electronic invitation from Pietrylo. When
Pietrylo and Marino created the group, they invited a select group of Houston’s
employees, but no managers. If the user accepted that invitation, he or she could
access the site only by using a personal password. The site included language that
indicated that the group was private, and that it was a place in which Hillstone
employees could talk about the “crap/drama/and gossip” related to their workplace. No
Hillstone upper manager was invited to join the group, and members accessed the site
only during non-work hours and on non-company computers.
One employee/chat group member, Karen St. Jean, made a Houston’s manager aware
of the site. St. Jean later provided her password to another manager, Robert Anton,
who shared the information with a regional manager, Robert Marano. In spite of the
privacy warning on the page, Anton and Marano accessed the site on multiple separate
occasions. After determining that the content of the postings in the chat group were
“offensive,” Anton and Marano fired Pietrylo and Marino.
Under the SCA, the plaintiffs had to prove that Houston’s managers accessed the chat
group “knowingly, intentionally, or purposefully,” and without authorization. Although
Houston’s argued that St. Jean willingly volunteered her password to Anton, St. Jean’s
trial testimony included the fact that she would not have provided that information to
Anton if he had not been a manager. The court’s decision to affirm the jury’s findings
turned partly on the fact that there was no documentary evidence concerning the
authorization, and so the jury had to rely on the testimony and demeanor of the
witnesses. The court held that the jury could infer from St. Jean’s testimony, specifically
her statement that she felt that she “would have gotten in trouble” if she hadn’t provided
her password, that the purported authorization was coerced. In addition, the court cited
that particular testimony, in conjunction with the fact that the restaurant’s managers
viewed the site on several different occasions, even though the site specifically
contained warnings that it was “private” and accessible to “members only,” to support its
decision to deny Houston’s motions for JNOV or a new trial.62
Employer Take-Aways: The evidence that managers may have coerced a co-worker to
disclose the password to the chat room, the lack of documentation regarding how the
company obtained the password, the accessing of a self-designated “private” chat room
by individuals without an actual invitation, and the repeated accessing of the site by
62
Id. at *2-4.
21
8901858.1
2/22/2010
manager with specific knowledge of its invitation-only status, all provided a basis for the
court to support the jury’s findings against the company.
Using Passwords Obtained from Co-Workers to Access Restricted Access
Websites Violated the SCA
In Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), a dissident pilot,
Konop, maintained a website on which he posted remarks critical of the company and
its managers. He restricted access to it by requiring visitors to log in with a user name
and password and to agree not to disclose the site’s contents. He provided user names
to some co-workers, but not to managers. A company Vice President got permission
from a pilot, who had been given access, to use his password to gain access. (Konop
learned of the possible breach of the security of his site and took it down, but restored it
shortly thereafter.) The Vice President continued to view the website, this time by using
the password of another pilot with his permission. The Ninth Circuit addressed Konop’s
claim that the Vice President’s access to his private website violated the Stored
Communications Act, which prohibits unauthorized access to an electronic
communication while in storage. The SCA exempts conduct authorized by a “user” of
the service with respect to a communication intended for that user, but the Ninth Circuit
read the SCA’s “user” exemption narrowly to mean only someone who had been
authorized to access the service and had actually availed himself of the service.
Reviewing Transcripts of Text Messages Sent on Employer-Owned Pagers, But
Obtained from Employees’ Cell Phone Provider, Violated the Stored
Communications Act and the Fourth Amendment (9th Cir. 2008 – cert. granted by
U.S. Sup. Ct.)
In Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008), cert.
granted sub nom. City of Ontario v. Quan, ___ U.S. ___, 2009 WL 1146443 (Dec. 14,
2009), the Ninth Circuit affirmed a the district court's ruling that the defendants violated
the Stored Communications Act ("SCA") and their Fourth Amendment rights by
producing plaintiff's text messages to the police department. The police department
claimed it sought the plaintiffs' text message transcripts to determine if the usage
overages the plaintiffs incurred were due to personal messages. Categorizing the
defendant service provider as an "electronic communication service" (ECS) that
knowingly provided transcripts of the text messages to the defendant City who was
merely a "subscriber" and not "an addressee or intended recipient of such
communication," the Ninth Circuit determined the defendant violated the SCA and
remanded the case to the district court. The Ninth Circuit ruled that, without either a
warrant or the employee's permission, the public employer was not entitled to obtain or
review cell phone text messages that are not stored by the employer or by someone the
employer pays for storage. While e-mails typically are stored on a company's own
servers, text messages usually are stored by cell phone companies and the employer
does not directly pay for their storage. Quon v. Arch Wireless, et al. 529 F.3d 892 (9th
Cir 2008).
The City of Ontario had a written electronics communications policy that expressly
prohibited personal use of its computers and notified employees that they had no
expectation of privacy with respect to any communications using the city's computer
22
8901858.1
2/22/2010
systems. The City's policy, however, did not make clear that this policy applied to its
police officers' pagers or to text messaging. Instead, because the city's pager service
contract with Arch Wireless charged the city additionally for each pager that exceeded
25,000 characters per month, the city informally permitted employees who exceed their
monthly character limit to simply pay the overage charge. Despite this informal practice,
the city contacted Arch Wireless to determine whether the pagers were being used
primarily for personal reasons and Arch Wireless provided transcripts to enable the city
to do so. After receiving these transcripts, the city learned that many of Sergeant
Quon's texts were personal and even sexually explicit in nature. Upon learning that their
texts had been reviewed, Sergeant Quon and others sued the city and the police
department under the Fourth Amendment for an illegal search and seizure and the
Stored Communications Act (SCA) and Arch Wireless for violating the SCA by turning
the transcripts over to the city.
The U.S. Supreme Court has accepted reviewed of the Ninth Circuit’s decision in
Quon.
On December 14, 2009, the United States Supreme Court agreed to hear the City of
Ontario's appeal of the Ninth Circuit's decision in Quon v. Arch Wireless Operating Co.
The questions presented to the United State Supreme Court for review are:
1. Whether an employee has a reasonable expectation of privacy in text messages
transmitted on his employer-provided pager, where the police department has an official
no-privacy policy but a non-policymaking supervisor announced an informal policy of
allowing some personal use of the pagers.
2. Whether the Ninth Circuit violated the Supreme Court’s prior Fourth Amendment
cases and created a conflict among the appellate courts by analyzing whether the police
department could have used “less intrusive methods” of reviewing text messages
transmitted by an employee on his employer-provided pager.
3. Whether individuals who sent text messages to an employee’s government-issued
pager had a reasonable expectation that their messages would be free from review by
the recipient’s government employer.
It is somewhat surprising that the Supreme Court accepted this case for review
decision. Reasons why Quon does not present a radical departure from existing law.
First, the City's electronics communications policy did not explicitly address text
messages. Then, complicating matters, the City official in charge of text messages
announced an informal practice that strongly suggested to employees that their text
messages would not be reviewed so long as they paid the overage charges from Arch
Wireless. Simply put, by not updating its electronics communications policy and by
permitting an informal practice to develop, the City created its own problem.
23
8901858.1
2/22/2010
How to Deal with Quon While Waiting for the Supreme Court’s Decision
Regardless of what the Supreme Court decides, Quon should serve as a reminder to
employers to ensure that not only are employee policies updated, but that they are also
being strictly followed by managers.
•
Employers should consider whether to prohibit employees from conducting any
company business other than over the corporate network.
•
Employers should consider limiting company-issued electronic devices to those,
such as a Blackberry, that can be configured to route all communications through
the corporate network.
•
Employers can lessen or defeat an employee’s expectation of privacy by
distributing a policy unambiguously stating that any employees communications
using any corporate technology or resources will be monitored and are not
private.
•
Employers can condition payment for the cell phone, or for the service, on the
employees giving written consent to the provider to disclose text messages to the
employer.
Accessing Employee’s Personal Email Accounts When Employee Failed to LogOff of Company Computer – SCA Violation?
Sidell v. Structured Settlement Investments, LP, Case No. 3:08-cv-00710-VLB (D.Conn
2008), involved an employer’s access, using its own computer equipment, to an
employee’s e-mail stored in an employee’s personal e-mail account. The company
closed a branch and fired the office manager for cause. Before the company had
changed the locks, the office manager entered his old office, logged on to his computer,
and sent an e-mail to his personal attorney regarding his potential claims against the
company. The office manager did not log-off from his Yahoo! account, or turn off his
computer. As a result, this e-mail remained accessible through the computer in the exoffice manager’s former office. Over the next few weeks while using the same e-mail
account, the ex-office manager sent his personal attorney numerous additional e-mails
regarding his termination. When this came out during discovery in a subsequent
arbitration over his termination, the former office manager then filed a lawsuit against
the company, claiming violations of the ECPA, the Stored Communications Act, state
statutes and for invasion of privacy. The case subsequently settled.63
Whether the SCA claim in Sidell would have survived depended upon:
•
63
whether the former employee consented to the employer’s access to his personal
e-mail because he did not log-off of his account or turn off his computer and he
knew his former employer would have access to it;
http://news.justia.com/cases/featured/connecticut/ctdce/3:2008cv00710/81493/
24
8901858.1
2/22/2010
•
the extent to which an employer may access information on an ex-employee’s
personal web-based email account that the employee accessed through
company owned and controlled computers, where the employee did not log-off or
turn off the computer.
3)
State Laws
a.
State Eavesdropping Laws.
Various states have also adopted some form of the ECPA or the SCA, but these state
wiretapping and eavesdropping laws typically prohibit the interception, eavesdropping,
or recording of electronic communications, before they are stored, without the consent
of one or all parties to the communications.64
b.
State Laws Requiring That Employers Notify Employees
Of On-Line Monitoring
Only two states, Delaware and Connecticut, legally require employers to notify staff that
their online activity is being monitored.65
c.
State “Lawful Activity” Laws
Illinois and other states have laws prohibiting employers from taking employment
actions based upon certain kinds of lawful off-duty conduct or the use of lawful
products.66 Two states, Illinois and Michigan, prohibit employers "from gathering or
keeping a record of an employee's associations, political activities, publications, or
64
See, e.g., 720 ILCS § 5/14-2; NJ ST 2A: 156A-3(a)(containing a single party consent exception in NJ
ST 2A: 156A- 4(d)); OH ST § 2933.52(A)(1)(containing single-party consent and business extension
exception similar to ECPA)); GA ST § 16-11- 65; CA PENAL § 632(a)(requiring consent of all parties).
65
Conn. Gen. Stat. § 31-48(d) (1999)(requiring “prior written notice” to all employees who “may be
affected” by an employer’s electronic monitoring, informing them of the types of monitoring which may
occur, but defining electronic monitoring as “the collection of information on the employer’s premises
concerning employees’ activities or communications by any means other than direct observation,
including the use of a computer . . . .”)(emphasis added); Del. Code, tit. 19, § 705(b)(2002
Supp.)(requiring either a “one time notice” signed by the employee or a daily electronic notice of employer
monitoring or interception of “any telephone conversation or transmission, electronic mail or transmission,
or internet access or usage” of the employee, but the law exempts “processes that are designed to
manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or Internet
usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or Internet
usage of a particular individual, and that are performed solely for the purpose of computer system
maintenance and/or protection.”). See also Matthew W. Finkin, Information Technology and Workers’
Privacy: The United States Law, 23 Comp. Labor Law & Policy Journal 47, 477 (2002)(available at:
http://www.law.uiuc.edu/publications/CLL&PJ/archive/vol_23/issue_2/FinkinCountryArticle23-2.pdf.
66
Illinois Right to Privacy in the Workplace Act, 820 ILCS 55/1 et seq. (prohibiting employers from
discharging or otherwise retaliating against employees or prospective employees who use “lawful
products” [defined as including but not limited to all tobacco products, all alcoholic beverages, all food
products, all over-the-counter drugs, and any drugs lawfully prescribed by the employee’s own physician]
outside the workplace during nonworking hours.).
25
8901858.1
2/22/2010
communications of non-employment activities, unless authorized by the employee in
writ-ing or unless the activity occurs on the employer's premises or during working hours
and interferes in the performance of the employee's or other employees' duties." citing
820 ILCS § 40/9 (1999); Mich. Comp. L. Ann. § 423.508 (1995) However, such laws do
not mention social networking and are largely ignored.
4)
Attorney-Client Privilege Issues and Monitoring Emails.
a.
Courts are split on whether emails sent using company
email account remain privileged
1.
Upholding Privilege Claim
On December 10, 2009, in Convertino v. U.S. Dept. of Justice, No. 1:04-cv-00236
(D.D.C. Dec. 10, 2009), a federal judge in the District of Columbia upheld the attorneyclient privilege for an employee's emails to his attorney, even though sent the emails to
his attorney from his work computer at the DOJ - and the DOJ later obtained them from
its email server. The judge concluded that the privilege applied largely because the
client was not aware that his employer had access to the emails:
•
The DOJ did not ban personal use of company e-mail.
•
The DOJ did not notify the employee that it would regularly access and save
emails from his account.
•
The employee tried to keep his emails private by deleting them and was unaware
that they were still on the DOJ servers.
In Stengart vs. Loving Care Agency, 408 N.J. Super. 54 (App. Div. 2009), New Jersey’s
Appellate Division held that Loving Care violated the attorney-client privilege by viewing
private Web-based emails between Stengart and her attorney even though the emails
were drafted on the Company’s computer and Loving Care’s email policy made clear, at
least in some areas, that Stengart had no privacy interest in such emails. The New
Jersey Supreme Court is currently reviewing this case.
In Sims v. Lakeside School, 2007 WL 2745367, at *2 (W.D. Wash. Sept. 20, 2007), an
employee used his employer’s laptop to communicate with his attorney and the
employer later forensically recovered the e-mails. The court stated “that [the employee]
was on notice that he did not possess a reasonable expectation of privacy in the
contents of his laptop[,]” yet held that “[n]otwithstanding defendant Lakeside’s policy in
its employee manual, public policy dictates that such communications shall be protected
to preserve the sanctity of communications made in confidence.” Id.
In re Asia Global Crossing, Ltd., 322 B.R. 247 (S.D.N.Y. 2005). In a bankruptcy
proceeding, company officers used the company email system to communicate with
their personal attorney. During discovery, the officers refused to produce these emails,
withholding on the grounds of the attorney-client, work product, and joint defense
26
8901858.1
2/22/2010
privileges. The employer's trustee moved to compel production, claiming the officers
waived any privileges with regard to the emails by using the corporate email system to
draft them. The court noted that “[s]ending a message over [a company’s] e-mail
system [is] like placing a copy of that message in the company files.” In re Asia Global
Crossing, Ltd., 322 B.R. 247, 259 (Bankr.S.D.N.Y. 2005). However, the court
nevertheless found the attorney-client privilege was not waived as a matter of law,
because the company's email policies regarding use and monitoring were unclear and
the officers may have reasonably believed the emails would remain confidential.
People v. Jiang, 31 Cal.Rptr.3d 227 (Cal Ct. App. 2005) 2005), withdrawn 33 Cal. Rptr.
3d 184, 203 (Cal. Ct. App. 2005). In an appeal from a rape conviction, the defendant
argued, inter alia, that password-protected documents contained on his employerissued laptop in a folder marked "Attorney" were protected by the attorney-client
privilege. The trial court had previously determined these documents were not subject to
the attorney-client privilege because the defendant had no reasonable expectation of
privacy in documents on an employer-issued laptop computer. On appeal, the state
argued the defendant did not have a reasonable expectation of privacy based on the
terms of an employment agreement in which the defendant acknowledged he had no
expectation of privacy for any company-owned property. The appellate court reversed
the trial court’s holding and found the defendant "made substantial efforts to protect the
documents from disclosure by password-protecting them and segregating them in a
clearly marked and designated folder." The appellate court further declared the
prosecution failed to prove the documents were not confidential and noted the
employment agreement did not prevent the defendant from using the laptop for personal
use.
2.
Rejecting Privilege Claim
In Alamar Ranch, LLC v. County of Boise, 2009 WL 3669741, 2009 U.S. Dist. LEXIS
101866 (D. Idaho Nov. 2, 2009), the district court judge held that the attorney-client
privilege had been waived with respect to messages sent by the employee to the
attorney using her employer-assigned e-mail account, and to messages sent to the
employee at her employer e-mail address by the attorney. The court commented that it
was “unreasonable for any employee in this technological age -- and particularly an
employee [who received actual notice of such monitoring] -- to believe that her e-mails,
sent directly from her company's e-mail address over its computers, would not be stored
by the company and made available for retrieval.”
•
The court further found that knowledge of such monitoring could be imputed to
the employee's attorney with respect to messages that he sent to the employee
because the e-mail address to which he sent the messages “clearly” put him on
notice that he was sending to the employee's work address. The court
commented that workplace e-mail monitoring “is so ubiquitous that [the attorney]
should have been aware that the [employer] would be monitoring, accessing, and
retrieving e-mails sent to that address.”
27
8901858.1
2/22/2010
•
But the court found that communications sent to the employee by other clients of
the attorney in the multi-party litigation remained privileged because there was no
evidence that the other clients knew or should have known of the workplace
monitoring and “laypersons are simply not on ‘high-alert’ for such things as
attorneys must be.”
•
The court in Alamar Ranch made clear that it was not ruling on whether the
employee's communications would have been protected had she sent them while
using the employer's computer network, but via her own Web mail account, and
cited Stengart v. Loving Care as an example of such a case. Id. at *4.
In Banks v. Mario Industries of Virginia, Inc., 650 S.E.2d 687 (Va. 2007). an employee
used an employer-owned computer to prepare a memorandum for his attorney
regarding his planned resignation., the employee printed the letter and sent it via nonelectronic mail, and then deleted the electronic copy of the letter. The employer later
forensically recovered the memorandum, and sought to use it as evidence against the
employee. The Virginia Supreme Court held that since “[the employer’s] employee
handbook provided that there was no expectation of privacy regarding [the employer’s]
computers[,]” the attorney-client privilege did not protect the deleted memorandum that
“[the employee] created …on a work computer located at [the employer’s] office. Id. at
695–96.
In Scott v. Beth Israel Med. Ctr., Inc., 2007 WL 3053351 (N.Y.Supp. Oct. 17, 2007), a
former doctor-employee sought contractual damages arising from the defendant’s
alleged termination without cause. On remand following reversal of the district court’s
earlier summary judgment order, the plaintiff sought a protective order requiring the
return of e-mail correspondence between himself and his attorney claiming attorney
client privilege and the work product doctrine. The defendants argued that their e-mail
policy stated that company e-mail is to be used solely for business purposes and that
employees have no personal privacy rights in any material created or communicated on
the company computer systems. The court agreed and denied the plaintiff’s motion
since the defendant notified the plaintiff of the use and monitoring policies.
Employees’ Use of Personal Password-Protected E-mail Accounts on Company
Computers Can Preserve Privilege, But Not Always.
In many cases, an employee’s sending emails using a personal password-protected
email account, even though sent on a company-owned computer, has been enough to
preclude waiver of the privilege as to attorney-client communications contained in the
emails. Curto v. Medical World Communications, Inc., No. 03-CV-6327, 2006 WL
1318387, at *3 (E.D.N.Y. May 15, 2006)(“Plaintiff did take reasonable precautions to
prevent inadvertent disclosure in that she sent the emails at issue through her personal
AOL account which did not go through the Defendants servers.”); National Economic
Research Associates, Inc. v. Evans, No. 04-2618-BLS2, 2006 WL 2440008, at *1
(Mass. Super. Ct. Aug. 3, 2006) (finding no waiver of the privilege regarding emails sent
by an employee to his personal attorney on a company computer where “[m]any of
these attorney-client communications were conducted by e-mail, with Evans sending
28
8901858.1
2/22/2010
and receiving e-mails from his personal, password-protected e-mail account with Yahoo
rather than his NERA e-mail address.”).
The use of password protection does not always equates to privacy. “[An employee]
does not have an absolute expectation of privacy in records kept or accessed on his
workplace computer, even if password protected.” Long v. Marubeni America
Corporation, No. 05-Civ.-639, 2006 WL 2998671, at *3 (S.D.N.Y. Oct. 19, 2006)(finding
that employees’ use of personal password-protected e-mail accounts was insufficient to
preclude waiver of the privilege as to emails sent to their personal attorney using their
personal password-protected email accounts, where they sent the emails on company
computers while on notice that language in the employer’s policy handbook precluded
any expectation of privacy).
Employees Working from a Home Office
In recognizing that an employee had not waived the privilege by leaving traces of
privileged emails on a company computer, the court in Curto noted that “none of [the]
cases [cited by the company] involve[d] an employee working from a home office.”67
The Curto court was careful to note that:
[t]he Court’s holding is limited to the question of whether an employee’s
personal use of a company-owned computer in her home waives any
applicable attorney-client privilege or work product immunity that may
attach to the employee’s computer files and/or e-mails. It does not purport
to address an employee’s right to privacy in an office computer in
general.68
V.
Practical Considerations and Best Practices.
The question for many employers is to what extent should it regulate use of its
information technology software and hardware to protect itself from liability? A few
simple measures can include:
•
Adopt written policies to address social networking as it pertains to your
business activities, employees, and information. Policies should be
consistent with organization’s policies and procedures on confidentiality
and trade secrets; protection of the organization’s property; harassment
and discrimination; privacy of employee/customer information; computer,
internet, e-mail systems; and employee privacy.
Every court addressing workplace waiver has looked to the
employer’s policies regarding employee computer use.69
67
Curto, 2006 WL 1318387, at *5.
68
Curto, 2006 WL 1318387, at *8 (emphasis added).
69
Adam C. Losey, Clicking Away Confidentiality: Workplace Waiver of Attorney-Client Privilege, 60 Fla. L.
Rev. 1179, 1181 (2008).
29
8901858.1
2/22/2010
The absence of any policy on monitoring employees’ internet
activity or the failure of the policy to address the specific type of
communication in question has been problematic for those
employers.70
•
Prohibit the use of company equipment and systems for personal
purposes.
Allowing common usage of personal e-mail on company computers
has been problematic for employers.71
•
Publish and notify employees of policies’ existence.
In addition to providing prior notice to employees that they may be
subject to monitoring in their employee handbooks and policies,
employers may wan to include notice of monitoring or surveillance
on computer log-in pages, signs posted on bulletin boards, and on
company intranet communications.72
•
Inform employees in these policies that they have no expectation of
privacy in any document or communication created, sent or received using
any company equipment or technology, even if the documents or
communications are marked as “private” or password-protected.
•
Train employees on these policies consistent with training on other key
policies.
Instruct your IT personnel and others responsible for workplace
monitoring not to make representations to employees that your
business’ electronic resources policy will not be followed.73
70
See Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008), cert. granted, __ U.S. __
(Dec. 19, 2009)(reasonable expectation of privacy found where the City of Ontario’s written electronics
communications policy expressly prohibited personal use of its computers and notified employees that
they had no expectation of privacy with respect to any communications using the city's computer systems,
but the City's policy did not make clear that this policy applied to its police officers' pagers or to text
messaging); Transocean Capital, Inc. v. Fortin, No. 05-0955-BLS2, 2006 WL 3246401, at *4 (Mass.
Super. Ct. Oct. 20, 2006) (upholding privilege, where “[the employer] did not have its own Policies or
Procedures Manual or Employment Manual setting forth the Company’s policy regarding the review of
emails on the Company’s network”.
71
Curto, 2006 WL 1318387, at *3 & n.2 (finding no waiver of the privilege as to communications with a
personal attorney using a company computer, despite the company’s policy prohibiting such activity,
because “several other MWC employees, including its president, had personal [email] accounts on their
work computers.”).
72
See People v. Ceja, 204 Ill.2d 332, 349 (2003) (inmates who knew their conversations were being
monitored had impliedly consented to monitoring).
73
Quon, 529 F.3d at 896 (the Ninth Circuit noted that in the normal course, the City’s “Computer Use,
Internet and E-Mail Policy” would have defeated Sgt. Quon’s privacy-based claim. However, the police
30
8901858.1
2/22/2010
•
Enforce all policies consistent and uniformly.
Curto, 2006 WL 1318387, at *4–5 (the court considered the
frequency of the employer’s enforcement of its computer usage
policy in upholding an employee’s privilege claims, but
acknowledged that no other court had previously found this factor
to be relevant).
•
Consider requesting that employees maintain “professional” social
networking accounts separate from personal accounts.
•
Consider modifying your electronic resources policy to state that it can not
be modified except by a written communication from a specified senior
executive. See Quon.
•
Consider whether or not to prohibit supervisors, managers, and
administrators from “friending,” linking/connecting to, recommending or
otherwise endorsing subordinates, suppliers, contractors, and customers.
•
Employers should institute protocols and procedures to make sure that
there is a legitimate business need and that legal counsel has been
obtained before taking action that may be construed as an intrusion into
employee privacy, such as harassment prevention, ensuring the safety of
others, or maintaining corporate confidential information.
•
Incorporate and reference harassment and discrimination policies when
adopting social networking policies that prevent employees from “posting
material that is abusive, offensive, insulting, humiliating, obscene, profane,
or otherwise inappropriate regarding the organization, its employees,
vendors, suppliers, business partners and competitors.”
•
Internet usage policies should include language preventing employers
from “engaging in any conduct that may be construed as harassment
based on race, ethnicity, color, national origin, religion, sex, sexual
orientation, age, disability, or any other legally protected characteristic.”
•
Policies should address confidentiality and trade secret protections and
prohibit employees from disclosing or discussing while in social
networking information about customers, partners or suppliers;
organization’s confidential information and trade secrets; and information
regarding the organization’s clients, affiliates, partnerships. Importantly,
employers must train employees on the confidential information policy.
lieutenant responsible for overseeing the City’s text-message program had established an informal policy,
communicated orally to Sgt. Quon, that the City would not read an officer’s text messages to determine
whether they were personal or business-related so long as the officer paid for any over charges).
31
8901858.1
2/22/2010
•
Social networking policies should clearly state that employees engaging in
social networking and blogging for either personal or professional reasons
must remain respectful and refrain from defaming or disparaging the
organization, its employees, customers, suppliers, business partners and
competitors.
•
Employees should be prohibited from writing about, posting pictures of, or
identifying by name any customers, suppliers, vendors or other employees
without their permission.
•
Employers’ cyber-policies should limit employees’ authority to speak on
behalf of the organization. Unless the employee has explicit authorization
to do so, he or she may should not use the organization’s name in the
online identity (e.g. username, “handle,” or screen name), claim or imply
that authorized to speak as a representative of the organization, or use the
organization’s intellectual property, logos, trademarks, and copyrights in
any manner. The posting of pictures of Company events, activities that
occur at Company facilities or while on Company business should also be
prohibited.
•
Employers should put employees on notice and have them sign written
acknowledgements that have no reasonable expectation of privacy on the
organization’s computers, email systems, internet, and while on
organization business (also address telecommuting situations).
•
Employers should have written notice to employees that information
exchanged on non-private social networking sites can be accessed by the
organization.74
•
Employers should consider whether Social Networking Policies should
also put employees on notice that when important corporate interests are
involved (e.g., a governmental investigation), employees may be asked to
suspend their off-duty blogging/twittering about the company and/or
provide the company with access to password protected social networking
sites.
-
They should also be informed in writing that their failure to
cooperate with such requests by the company would result
in discipline up to and including termination.
-
Employees should also be required to sign (electronically or
a hard copy) a Consent Form and/or they should be notified
74
Eric L. Barnum and Nora Kersten Walsh, Every Breath You Take: Blogging, Texting, E-mails and Social
Networking in the Workplace, American Bar Association Section of Labor and Employment 3rd Annual
CLE Conference, Washington D.C. (November 5, 2009).
32
8901858.1
2/22/2010
that continued employment after receipt of the Social
Networking Policies will be deemed consent to them.
Cf., Biby v. Board of Regents, of University of Nebraska at Lincoln,
419 F.3d 845, 201 Ed. Law Rep. 36 (8th Cir. 2005) (rejecting
contention that contractually authorized evidence-gathering ran
afoul of a reasonable expectation of privacy, even where employer
had erroneously asked for employee consent to do collection);
TBGIns. Services Corp. v. Superior Court, 96 Cal. App. 4th 443,
452-54, 117 Cal. Rptr. 2d 155 (2d Dist. 2002) (no "reasonable
expectation of privacy" under Const. Art. I, § 1 where employee had
consented in writing to employer's policy statement that it monitored
electronic communications conducted on work-at-home PCs and
office PCs; in wrongful termination case based on employee's
alleged intentional and repeated accessing of sexually explicit
websites, employer could obtain discovery of hard drive of work-athome computer it had provided to employee); Garrity v. John
Hancock Mut. Life Ins. Co., 2002 WL 974676, at *1-2 (D. Mass.
2002) (employees of company that has e-mail monitoring policy
have no reasonable expectation of privacy in e-mail
correspondence; and, even if they did, employer's legitimate
interest in protecting other employees from harassment would likely
trump privacy concerns); See also, Prosser and Keeton on the Law
of Torts, p 112 (5th ed.)(requiring employees to give written
consent to the monitoring of e-mail will normally vitiate common-law
privacy claims).
But see Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420
(D.N.J. Sept. 25, 2009), (upholding a jury verdict that a restaurant
chain violated the SCA and a similar New Jersey law by allegedly
requiring an employee to surrender to restaurant managers login
information that allowed access to restricted-access employee
MySpace chat room).
VI.
What the Future Holds for Employer Monitoring of Employee Off-Duty
Internet Usage
The “Cloud”
One commentator referred to “the cloud” as “this virtual platform … where users interact
with Internet applications and store data on distant [third-party owned] servers rather
than on their own hard drives” and advocated treating digital assets on third-party sites
the same way that the law currently would treat physical assets kept in an apartment or
storage locker:
[T]he service provider has a copy of the keys to a user's cloud "storage
unit," much like a landlord or storage locker owner has keys to a tenant's
space, a bank has the keys to a safe deposit box, and a postal carrier has
33
8901858.1
2/22/2010
the keys to a mailbox. Yet that does not give law enforcement the
authority to use those third parties as a means to enter a private space.
The same rationale should apply to the cloud. In some circumstances, such as search
engine queries, the third party is clearly an interested party to the communication. But
when content data, passwords, or URLs are maintained by a service provider in a
relationship more akin to that of landlord-tenant, such as private Google accounts, any
such data that the provider is not directly interested in should not be understood to be
open to search via consent or a waiver of Fourth Amendment protection.75
75
David A. Couillard , "Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy
Expectations in Cloud Computing," 93 Minn. L. Rev. 2005, 2237-38 (June 2009).
Available at: http://www.minnesotalawreview.org/sites/default/files/Couillard_MLR.pdf
34
8901858.1
2/22/2010
Databases with Sample Social Networking/Blogging Policies and Guidelines
Comprehensive Database of 117 Organizational Social Media Policies
http://socialmediagovernance.com/policies.php
Sample Social-Media Guidelines from Delaware Employment Law Blog published by
Young, Conway, Stargatt & Taylor
http://www.delawareemploymentlawblog.com/2009/12/sample_socialmedia_guidelines.
html
a.
Policies from Media Organizations
Associated Press Social Networking Q&A (PDF via Wired.com)
http://www.wired.com/images_blogs/threatlevel/2009/06/apsocialnetworkingpolicy.pdf
NPR News Staff Social Media Guidelines
http://www.npr.org/about/ethics/social_media_guidelines.html
b.
Policies from Technology Industries
IBM Social Computing Guidelines
http://www.ibm.com/blogs/zz/en/guidelines.html
Intel Social Media Guidelines
http://www.intel.com/sites/sitewide/en_US/social-media.htm
SAP Social Media Guidelines 2009
http://www.socialmediatoday.com/SMC/108483
Sun MicroSystems Guidelines on Public Discourse
http://www.sun.com/communities/guidelines.jsp
c.
Online Repositories and Collections of Links to Social Media
Policies
TechRepublic Links to Social Media Policies
http://downloads.techrepublic.com.com/abstract.aspx?docid=1018503
About.com Sample Blogging Policy
http://humanresources.about.com/od/policysamplesb/a/blogging_policy.htm
Laurel Papworth’s Collection of Social Media Policies from 40 Enterprises
http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/
35
8901858.1
2/22/2010
SAMPLE TECHNOLOGY AND ELECTRONIC COMMUNICATIONS POLICY
[Covering Social Networking, Blogging and Twitter]
I.
Purpose
The Company provides its attorneys and employees ("users") with technology
resources to conduct the business of the Company. Such technology includes
computer systems and networks, telephone systems, copy machines, facsimile
machines and other equipment and software (collectively, the "Company Technology").
In addition, users may access Company Technology or transmit information belonging
to the Company (or its clients) through equipment owned by a user or third party, such
as home computers, smart phones (iPhones, Blackberrys) and other personal devices.
In order to ensure that these technology resources are used properly, preserve the
integrity of these systems and the information contained on them, comply with
applicable laws and protect the reputation of the Company and its attorneys, staff,
clients and business partners, the Company has created this Technology and Electronic
Communications Policy.
The rules and obligations described in this Policy apply to all users of Company
Technology, irrespective of where they may be using Company Technology (i.e., at their
office, home or otherwise) or how they may be accessing Company Technology. This
Policy also applies to users who use equipment or technology that is owned by them or
third parties in a manner that adversely affects the Company. Users who violate this
Policy may be subject to discipline, up to and including termination. Obligations with
respect to this Policy shall survive the end of any user's relationship with the Company.
II.
Use of Company Technology
Users are given access to Company Technology to assist them in conducting the
business of the Company. Consequently, all users have the responsibility to use the
Company's computers, networks and communication systems in a professional, ethical
and lawful manner. It is important to recognize that, since these resources belong to the
Company, although some limited personal use may occasionally occur, Company
Technology is intended to be used for authorized business purposes only. All
information created, transmitted or stored using Company Technology is and shall
remain the exclusive property of the Company.
Further, no user may use Company Technology to violate any copyright, trade secrets
or other rights of the Company or third parties. This includes, but is not limited to, the
unauthorized copying, use or transmission of trademarked or copyrighted materials,
trade secrets and intellectual property of others, including music, video and third party
computer software. Users should assess the protected status of materials they send
and receive by, among other things, looking for copyright notices and other indicia that
the materials are protected. If a user is unsure about whether any material is protected,
he or she should ask their supervisor or practice group leader or a member of the
Information Technology Department ("IT Department"). All material generated, received
36
8901858.1
2/22/2010
or stored on Company Technology becomes the property of the Company and must be
handled in accordance with its policies.
Users may not use Company Technology to harass, defame, threaten or otherwise
commit a violation of applicable laws, Company policies, rules, regulations or ethical
rules. Use of Company Technology for personal gain, to send chain letters, or solicit
money for religious or political causes is also not permitted. “Snooping,” “pretexting”
(using another’s identity) and unauthorized monitoring (including attempts to read, copy,
modify or delete) others’ e-mail, voice mail or other electronic communications violates
this Policy and may be grounds for termination (and may subject user to other
penalties).
III.
The Company's Right to Monitor and Regulate Usage of Company Technology
Although it is not the Company's intention to unduly intrude upon a user's personal
activities, the Company reserves the right to inspect files, messages or other uses of
Company Technology at any time in its discretion to determine compliance with policies,
respond to lawful subpoenas or court orders, investigate misconduct, locate information,
or for any other business purpose. The Company reserves the right to delete, edit or
move any files or software at any time from any Company-owned equipment without
prior notice. The best way for a user to ensure the privacy of personal information is not
to store or transmit it using Company Technology.
The Company also reserves the right to monitor, access and disclose any and all usage
of its computers, networks and communication systems, including but not limited to the
usage of Company Technology via personal computers, smart phones and other
devices owned by users or third parties. The Company may also monitor sites that
users visit on the Internet, review material downloaded or uploaded by users, and
review stored electronic mail and voice mail sent and received by users, which in any
way involve the use of Company Technology. Users should have no expectation of
privacy in anything they create, store, send or receive through the direct or indirect use
of Company Technology.
IV.
The Company’s Rights Concerning Personal Internet Activity that Affects the
Company.
The Company also may require the immediate deletion, return or transfer of information
belonging to the Company (or its clients) and the cessation of postings and other
communications that may adversely affect the Company from personally-owned or thirdparty’s equipment, websites, blogs and other technologies. In rare cases when
important Company interests are at stake, the Company may require that a user provide
the Company with access to a personal website, blog or social networking page, even if
it is protected by a personal password or is otherwise access-restricted. The failure to
cooperate with such requests may result in discipline up to and including termination.
37
8901858.1
2/22/2010
The Company will cooperate fully with appropriate authorities to provide information
related to actual or suspected activity not consistent with the law. All users are required
to cooperate in any Company investigation of such conduct.
V.
User IDs and Passwords
Each user at Arnstein & Lehr LLP is granted a unique set of user IDs and passwords to
use Company Technology. These IDs grant full or partial access to the Company’s
computer and voice mail systems. Users are responsible for any and all activity that
occurs under their assigned IDs and passwords, regardless of who is using those IDs or
passwords.
A password is established in connection with the IDs. The password is to be kept
confidential (except for designated Company personnel). Users should change their
passwords periodically in accordance with Company policies. The fact that a user is
allowed to use personal IDs and/or passwords does not create any reasonable
expectation of privacy in Company Technology.
Users should not share their passwords with co-workers or third parties, and should not
allow others to use their user IDs and/or passwords, except in accordance with
Company policies. The unauthorized use of another user’s IDs and passwords is
prohibited. Users are required to disclose their IDs and passwords to members of the
Company's IT Department or other designated Company representatives.
Immediately, upon the end of a user’s relationship with the Company, the user’s IDs and
passwords may be disabled or removed from the system. However, the user's IDs and
passwords remain the property of the Company.
VI.
Software
The rights to use the software and related documentation provided by the Company
(collectively, the "Software") either belong to the Company or are governed by license
agreements with which the Company must abide. Violation of these license agreements
could subject the Company to liability. Therefore, to ensure that the Company complies
with the license agreements governing the use of the Software, all users must abide by
the provisions of this Policy (irrespective of the manner by which the Software is
embodied or stored). Any client or third party interaction with or access to the Software
or Company Technology (except for electronic mail messages) should be approved in
advance by the Company's Director of Information Technology.
As a general rule, the installation and maintenance of all Software shall be handled
solely by the Company's IT Department. No user may use, alter, modify or change the
Company's Software in any way other than as described in the documentation
accompanying the Software. Users may not access or attempt to access any Company
Software, files or directories that have not been authorized for their use. They also may
not give or loan any Software, or allow access to Company Technology to any
unauthorized individuals
38
8901858.1
2/22/2010
No user may copy or download any Company-owned/licensed software to any personal
(non-Company) equipment without the express written permission of the Company. In
addition, the Company's permission is required before a user may copy, transfer or
download any non-Company software onto any Company Technology.
VII.
Data Retention
Users should understand that information created, stored or transmitted using Company
Technology may be electronically recalled or reconstructed, even though it may have
been "deleted" by the users, so any communication using Company Technology should
be written with that principle in mind. Thus, users should exercise care in what
information or statements they create in electronic form in order to avoid potential
embarrassment or legal liability for themselves or the Company.
As a general rule, users should not place any data upon the “desktop” or non-integrated
drives of Company computers, laptop computers, “thumb” or “flash” drives and other
electronic storage devices, and personal computers that is not made part of Company
Technology (e.g., IManage, etc.). In addition, users should refrain from transferring
data belonging to the Company or its clients to personal email accounts and personal
equipment except when needed to serve the Company and its clients.
Users should immediately report the loss of Company-owned computer equipment
(including the loss of personal computers, smart phones and other devices containing
data belonging to the Company or its clients) to their supervisors, practice group
leaders, and the IT Director.
VIII.
Internet Usage
Because of its nature, users who access the Internet may encounter material that is
inappropriate, offensive, and, in some cases, illegal. Users are advised that they will be
held responsible for the Internet sites and the material they review, transmit or
download from the Internet using Company Technology. The Company's general
policies apply to users' use of Company Technology to access the Internet.
Users need to exercise caution before transmitting confidential and/or personnel
information (such as social security numbers, personal addresses or telephone
numbers, banking information, and/or health information) on the Internet using
Company Technology or personal equipment. Identity theft and other adverse
consequences can result.
Before a user contributes to any blog or Internet website using Company Technology or
referring to the Company, the user will be expected to take steps described above in
Section C of this Policy to ensure that what is said will not be interpreted as the opinion
of the Company, will not disclose confidential information, reflect adversely on the
Company, its clients, employees and attorneys or anyone connected with it, or
otherwise violate any other Company policies.
39
8901858.1
2/22/2010
IX.
Voice Mail and E-mail
The Company provides voice and electronic mail systems to assist in timely and
efficient communication on behalf of the Company. Users are responsible for ensuring
the accuracy, security and control of information belonging to the Company and its
clients and that the communications are appropriate and professional. The rules and
obligations described in this Policy are applicable to all internal and external uses of
Company Technology, including those which may, either directly or indirectly, use the
Internet.
No user may access the email or voicemail, retrieve any stored communication, or use
the ID/password of any other user unless authorized to do so by the Company. The
Company reserves the right to monitor and disclose stored email and voicemail
messages, Internet usage, or other uses of technology that adversely affect the
Company.
Users are encouraged to use the Public Forum Bulletin Board feature in Outlook for
messages relating to the sale or availability of sports or entertainment tickets, birth
announcements involving Company personnel, or non-Company sponsored events,
such as going-away parties, baby showers, etc. Instructions on the use of this feature
are available from the IT Department.
X.
Ownership and Control of Company Technology
Company Technology and any content, data or other electronically stored information
created, stored or otherwise transmitted through the use of Company Technology,
including but not limited to the Company’s computer, voice and electronic mail systems,
are owned by the Company and are provided to assist in the performance of Company
business. All messages and other information communicated through these systems
are the property of the Company.
XI.
Security
When using Company Technology or transmitting Company-related information or
documents over the Internet, care must be taken to prevent computer viruses and
unlawful or offensive materials from being brought into Company Technology. Users
are required to use virus-scanning software provided by the Company to scan files,
documents, e-mail attachments or diskettes brought in from the outside before they are
opened and used. Any questions concerning this software should be directed to the IT
Department.
When communicating any message of a highly confidential nature, certain encryption
technology may be employed to enhance the security of the transmitted message (the
Company's Director of Information Technology should be consulted for further details).
No User shall encrypt e-mail messages or files without using software pre-approved by
the Company.
40
8901858.1
2/22/2010
Users are also prohibited from taking any action that deliberately or negligently attempts
to degrade or harm the performance of Company Technology, including but not limited
to installing viruses or other invasive software, destroying or improperly accessing
unauthorized data, tampering with or attempting to disable any of the security systems
protecting Company Technology, “hacking” into the system, or other unauthorized
activity using technology that adversely affects the Company.
XII.
Driving While Using Communicative Devices
Because of a concern for the safety of users and third parties, the Company prohibits
the use of Company Technology or other communicative devices while operating a
motor vehicle in connection with Company business, except with "hands-free"
equipment or otherwise in accordance with applicable laws. This Policy applies to the
use of Company Technology while driving, but also applies to the use of personal
cellular telephones and other communicative devices while driving in connection with
work for the Company or on client-related business (even if the call does not involve
Company business). For safety reasons, users should always use “hands-free”
equipment or pull off the road, stop their vehicles in a safe place, and then use their cell
phone or other communicative device.
XIII.
Reporting Violations of This Policy
A user who becomes aware of violations of this Policy, any Addenda should
immediately report it to his/her supervisor/practice group leader, the Director of Human
Resources, the Director of Information Technology, the Director of Administration, or if
the above are not available, a member of the Company’s Executive Committee. All
reports will be investigated promptly and confidentially. Retaliation against any user for
reporting a violation of this Policy or cooperating with an investigation will not be
tolerated.
If a user has any questions about this Policy, any Addenda or any matter related to
Company Technology or electronic communications that are not addressed here,
please direct them to the persons identified in the preceding paragraph as appropriate.
As with the Company’s other policies, no one connected with the Company, other than
in writing issued by the Chair of the Company’s Executive Committee, has authority to
modify this Policy or to suggest that this Policy, any Addenda or any other Company
policy will not be enforced as written.
The failure to comply with these policies may result in disciplinary action, up to and
including discharge.
XIV.
Consent to This Policy and Any Addenda
A user's continued employment or other relationship with the Company after receipt of
this Policy or any Addenda constitutes consent to this Policy or any Addenda, including,
but not limited to, the Company's right to monitor all usage of Company Technology and
to require access to a user’s personal or third-party equipment, blogs and other modes
41
8901858.1
2/22/2010
of communication that affect the Company. Users will also be required to sign a written
acknowledgement confirming that they have read this Policy and any Addenda and
agree to comply with it.
ADDENDUM TO TECHNOLOGY AND ELECTRONIC COMMUNICATIONS POLICY
Blogging and Other Social Media
In general, the Company takes a positive view of attorneys and employees using and
posting to websites, blogs, social networking media (LinkedIn, Facebook, etc.),
twittering and similar technology for personal use and Company-related business (all of
which are referred to in this policy as “blogging” or social networking), provided that
users observe certain guidelines and their activities do not adversely affect the
Company, its clients, or its employees and attorneys.
Personal Blogs and Other Modes of Self Expression. As a general rule, users
should make sure they comply with Company policies and the guidelines listed below
before they identify themselves as associated with the Company or discuss matters
related to the Company, its technology, business or clients on personal or non-workrelated websites or blogs. Bear in mind that, although a user may view his or her
posting to a website or blog as a personal project and a medium of personal expression,
some readers may nonetheless view the user as a de facto spokesperson for the
Company. In light of this possibility, especially if a user identifies him/herself as
associated with the Company on a non-work-related blog or website, the user must
observe the following guidelines:
•
Be Professional. The same rules that apply to other Company-related
communications apply to blogging, texting, twittering and all forms of social
networking.
•
Be Accurate. Make it clear to readers that the views expressed are the
user’s alone and that they do not necessarily reflect the views of the
Company or its clients.
•
Maintain Confidences. Do not disclose any trade secrets, customer
confidences and information that is confidential or proprietary to the
Company, its clients, attorneys, employers or to any third party that has
disclosed information to the Company. Consult with practice group leaders or
supervisors for guidance about what constitutes confidential information.
•
Be Conscientious. Do not use Company Technology to develop, design or
maintain personal blogs or social networking unless they are being used for
Company-related purposes (such as occasionally updating on-line profiles
used for marketing purposes).
42
8901858.1
2/22/2010
•
Be Discreet. Activities that occur at Company facilities or while on Company
business should not be shared on public blogs or social media. Do not post
pictures of Company events or the interior of the Company facilities, coworkers, customers, suppliers or vendors without express authorization.
•
Be Respectful. Do not disparage the Company and its clients, attorneys,
employees, competitors or colleagues. Do not engage in impolite dialogues
on public blogs and websites.
•
Be Courteous. Do not use a personal blog or posting to violate the rights of
anyone connected with the Company by harassing, defaming, invading the
privacy, publishing private facts or misusing the intellectual property of others.
Just as the Company does not tolerate racial and other prohibited slurs,
threats of violence, or harassment, discrimination and retaliation in the
workplace, such conduct in cyber-space will not be tolerated and is grounds
for termination.
•
Be Judicious. Do not “friend,” connect with, or post to inappropriate persons
or entities (such as opposing parties represented by counsel). Be careful
when “friending” or “connecting with” subordinates, supervisors, judges,
witnesses and others with whom communications must be professional and
discrete. Do not “spam” about the Company (i.e., inappropriately sending
mass postings to persons who have not indicated that they want to receive
such communications).
•
Be Circumspect. Recommending, endorsing, or providing testimonials
about vendors, former colleagues, suppliers, consultants, opposing parties
and their counsel, judges and other third-parties requiring circumspect
communications should be done only when appropriate and in accordance
with applicable rules.
•
Be Truthful. Do not deceive readers, write false endorsements or engage in
other deceptive acts in connection with any blog or public posting, and do not
ask anyone else to do so.
•
Be Careful. Users must take care not to inadvertently create attorney-client
relationships, provide legal advice, engage in improper solicitations,
advertising or the unauthorized practice of law, or provide false or misleading
information about the Company, its attorneys or their services.
•
Be Transparent. If you blog or post anonymously, we would prefer that you
do not discuss matters that might adversely effect the Company or its clients,
attorneys, or employees. If Company-related topics are mentioned, you
should disclose your identity and affiliation with the Company.
43
8901858.1
2/22/2010
•
Be Responsible. Make sure that your blogging and social networking activity
do not violate applicable laws, ethical rules or Company policies or interfere
with work commitments.
The Company may, from time to time, request that users temporarily confine their
website activity, social networking or blog commentary to topics unrelated to the
Company (or, in rare cases, that users temporarily suspend their website, blogging or
posting activity altogether) if the Company decides that the Company decides that this
is necessary or advisable to do so for confidentiality or legal compliance reasons. User
may be requested to provide access to personal blogs and networking sites in such
cases. Failure to cooperate with such requests may result in discipline up to and
including termination.
Twitter, Texting and Other Modes of Electronic Communication. Twitter and
texting have become very prevalent. A major concern when it comes to Twitter is not
only the time it takes to create a post, but the time and distraction caused by trying to
follow numerous conversations. Twitter postings and the use of Twitter monitoring tools
(Twhirl, Twitterific, TweetDeck, etc.) during working hours should be work-related.
Social Videos, Online Shopping and Other Non-Work-Related Internet Activity.
Users are expected to refrain from viewing pornographic sites, watching videos on
YouTube and similar sites, shopping online and reading/posting to personal blogs while
at work, during working hours or if Company Technology is used in any way. We don’t
want to ban or block such activities, but Company Technology is for work purposes
only. Non-work-related Internet activity may not interfere with your work commitments.
All aspects of the Company’s Technology and Electronic Communications Policy and
this Addendum applies to all non-work related Internet activities that affects the
Company, including all forms of electronic communication not specifically mentioned
here.
Company-Sponsored Blogs and Blogging for Business Reasons. When posting on
a Company-sponsored blog or on personal/third party blogs or other websites (including
twittering and texting) for business purposes or other Company-related reasons, the
Company’s other policies apply as well as this Technology and Electronic
Communications Policy. Users should confirm the nature and scope of their authority
before posting on a Company-sponsored blog or representing the Company on a thirdparty blog or website. All such posts must be courteous, professional and consistent
with Company standards and policies as well as those of the blog or website. Users
should disclose who they are and their role with the Company from the first
communication. Users must take care not to disclose confidential information or trade
secrets. Users are responsible for what they post on Company-sponsored blogs as well
as what they post about the Company on personal/third-party blogs and websites.
44
8901858.1
2/22/2010
SAMPLE POLICY ON MONITORING OFF-DUTY INTERNET
USAGE AND SOCIAL NETWORKING
Policy from ePolicy
Sample Web Acceptable Usage Policy
The Company is pleased to offer associates access to the organization’s computer
Network and the Internet. This Policy applies to employees granted Network and
Internet access by the Company. For the Company to continue making Network and
Internet access available, employees must behave appropriately and lawfully. Upon
acceptance of your account information and agreement to follow this Policy, you will be
granted Network and Internet access in your office. If you have any questions about the
provisions of this Policy, you should contact the Chief Information Officer.
If you or anyone you allow to access your account (itself a violation of this Policy)
violates this Policy, your access will be denied or withdrawn. In addition, you may be
subject to disciplinary action, up to and including termination.
1. Personal Responsibility
By accepting your account password and related information, and accessing the
Company’s Network or Internet system, you agree to adhere to this Policy. You also
agree to report any Network or Internet misuse to the Chief Information Officer. Misuse
includes Policy violations that harm another person or another individual’s property.
2. Term of Permitted Use
Network and Internet access extends throughout the term of your employment, provided
you do not violate the organization’s Computer Network and Internet Acceptable Usage
Policy. Note: The Company may suspend access at any time for technical reasons,
Policy violations, or other concerns.
3. Purpose and Use
The Company offers access to its Network and Internet system for business purposes
only. If you are unsure whether an activity constitutes appropriate business use, consult
the Chief Information Officer.
4. Netiquette Rules
Employees must adhere to the rules of Network etiquette, or Netiquette. In other words,
you must be polite, comply with the Company’s ethics policy and code of conduct,
adhere to the organization’s electronic writing and content guidelines, and use the
Network and Internet appropriately and legally. The Company will determine what
materials, files, information, software, communications, and other content and activity
are permitted or prohibited, as outlined below.
45
8901858.1
2/22/2010
5. Banned Activity
The following activities violate the Company’s Computer Network and Internet
Acceptable Usage Policy:
(A) Using, transmitting, receiving, or seeking inappropriate, offensive, vulgar,
suggestive, obscene, abusive, harassing, belligerent, threatening, defamatory (harming
another person’s reputation by lies), or misleading language or materials.
(B) Revealing personal information, such as the home address, telephone
number, or financial data of another person or yourself.
(C) Making ethnic, sexual-preference, or gender-related slurs or jokes.
(D) Engaging in illegal activities, violating the Employee Handbook, or
encouraging others to do so. Examples:
1.
Selling or providing substances prohibited by the Company’s employment
policy or the Employee Handbook.
2.
Accessing, transmitting, receiving, or seeking unauthorized, confidential
information about clients or colleagues.
3.
Conducting unauthorized business.
4.
Viewing, transmitting, downloading,
pornographic, or illegal materials.
5.
Accessing others’ folders, files, work, networks, or computers. Intercepting
communications intended for others.
6.
Downloading or transmitting the organization’s confidential information or
trade secrets.
(E)
Causing harm or damaging others’ property. Examples:
1.
Downloading or transmitting copyrighted materials without permission
from the copyright holder. Even when materials on the Network or the
Internet are not marked with the copyright symbol, ©, employees should
assume all materials are protected under copyright laws––unless explicit
permission to use the materials is granted.
2.
Using another employee’s password to trick recipients into believing
someone other than you is communicating or accessing the Network or
Internet.
46
8901858.1
2/22/2010
or
searching
for
obscene,
3.
Uploading a virus, harmful component, or corrupted data. Vandalizing the
Network.
4.
Using software that is not licensed or approved by the Company.
(F)
Jeopardizing the security of access, the Network, or other Internet
Networks by disclosing or sharing passwords and/or impersonating others.
(G)
Accessing or attempting to access controversial or offensive materials.
Network and Internet access may expose employees to illegal, defamatory, inaccurate,
or offensive materials. Employees must avoid these sites. If you know of employees
who are visiting offensive or harmful sites, report that use to the Company’s Chief
Information Officer.
(H)
Engaging in commercial activity. Employees may not sell or buy anything
over the Internet. Employees may not solicit or advertise the sale of any goods or
services. Employees may not divulge private information––including credit card
numbers and Social Security numbers—about themselves or others.
(I)
Wasting the Company’s computer resources. Specifically, do not waste
printer toner or paper. Do not send electronic chain letters. Do not send email copies to
nonessential readers. Do not send email to group lists unless it is appropriate for
everyone on a list to receive the email. Do not send organization-wide emails without
your supervisor’s permission.
(J)
Encouraging associates to view, download, or search for materials, files,
information, software, or other offensive, defamatory, misleading, infringing, or illegal
content.
6. Confidential Information
Employees may have access to confidential information about the Company, our
employees, and clients. With the approval of management, employees may use email to
communicate confidential information internally to those with a need to know. Such
email must be marked “Confidential.” When in doubt, do not use email to communicate
confidential material. When a matter is personal, it may be more appropriate to send a
hard copy, place a phone call, or meet in person.
7. Privacy
Network and Internet access is provided as a tool for our organization’s business. The
computer system is the property of the Company. The Company has the legal right to
monitor usage of the Network and the Internet. Employees have no reasonable
expectation of privacy when using the Company’s computer system, Network, or
Internet.
47
8901858.1
2/22/2010
8. Noncompliance
Your use of the Network and the Internet is a privilege, not a right. Violate this policy
and, at minimum, your access to the Network and the Internet will be terminated,
perhaps for the duration of your tenure with the Company. Policy breaches include
violating the above provisions, and failing to report violations by other users. Permitting
another person to use your account or password to access the Network or the Internet–
–including but not limited to someone whose access has been denied or terminated—is
a violation of Policy. Should another user violate this Policy while using your account,
you will be held responsible, and both of you will be subject to disciplinary action.
Employee Acknowledgment
Note: If you have questions or concerns about this ePolicy, contact the Company’s
Chief Information Officer before signing this agreement.
I have read the Company’s Computer Network and Internet Acceptable Usage Policy
and agree to abide by it. I understand violation of any of the above terms may result in
discipline, up to and including my termination.
_______________________ _________________ ______________
Employee Name (Printed) Employee Signature Date
© 2006, 2007, Nancy Flynn, The ePolicy Institute, www.epolicyinstitute.com.
48
8901858.1
2/22/2010

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz