Thursday, October 24, 2013

The legal reason why you shouldn’t force employees to turn over social media passwords

There has been a lot of ink spilled out on the supposed practice of employers requiring employees to provide access to their private social media accounts. I’ve long espoused both that this practice is not occurring with sufficient regularity to justify a legislative fix (despite New Jersey just becoming the 12th state to enact a legislative ban), and that employers should nevertheless avoid this practice because it erodes the trust that is necessary to build a workable employer/employee relationship.

Ehling v. Monmouth-Ocean Hospital Service Corp. (D.N.J. 8/20/13) provides further legal justification for employers to avoid this practice.

Deborah Ehling worked as a registered nurse and paramedic for MONOC beginning in 2004. Beginning in 2008, Ehling maintained a Facebook account with approximately 300 “friends.” She chose restrictive privacy settings on that account so that only her Facebook friend could see her wall posts. While Ehling had no MONOC managers as Facebook friends, she did add many coworkers, including a paramedic named Tim Ronco. Unbeknownst to Ehling, Ronco was taking screenshots of her Facebook wall and printing them or emailing them to MONOC manager Andrew Caruso. Caruso never asked Ronco for information about Ehling, and never requested that Ronco share Ehling’s Facebook activity. Nevertheless, once Caruso received copies of the Facebook posts, he passed them on to MONOC’s Executive Director of Administration.

On June 8, 2009, Ehling posted the following statement to her Facebook wall:

An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards....go to target practice.

After MONOC management learned of the post, it temporarily suspended Ehling with pay. After MONOC fired Ehling for unrelated attendance issues, she sued, and claimed, among other things, that MONOC’s access of her private Facebook wall violated the Stored Communications Act and her common law right to privacy.

The SCA covers (1) electronic communications, (2) that were transmitted via an electronic communication service, (3) that are in electronic storage, and (4) that are not public. The Court had little issue concluding that the SCA covers non-public Facebook wall posts.

The SCA, however, has an exception for “authorized users.” This exception applies where (1) access to the communication was “authorized,” without coercion or pressure, (2) “by a user of that service,” (3) “with respect to a communication … intended for that user.” Ehling had no evidence to support her claim that MONOC’s access of her Facebook page was unauthorized. To the contrary, the evidence showed that Ronco voluntarily shared the information with Caruso, and, therefore, was “authorized” under the SCA. Thus, no violation of the SCA occurred via MONOC’s possession of wall posts from Ehling’s private Facebook page.

The Court disposed of Ehling’s invasion of privacy claim on similar grounds. In doing so, however, the Court made the following interesting observation:

The evidence does not show that Defendants obtained access to Plaintiff’s Facebook page by, say, logging into her account, logging into another employee’s account, or asking another employee to log into Facebook. Instead, the evidence shows that Defendants were the passive recipients of information that they did not seek out or ask for. Plaintiff voluntarily gave information to her Facebook friend, and her Facebook friend voluntarily gave that information to someone else … This may have been a violation of trust, but it was not a violation of privacy.

In other words, the Court may have found a privacy invasion if the employer had used surreptitious or coercive means to gain access to its employee’s Facebook page. Thus, whether or not a statute specifically prohibits employers from requiring the disclosure of social media account information, this court makes it clear that an employer’s demand of such information is nevertheless illegal. Or, to put it another way, please don’t ask your employees to turn over their online passwords.

This post originally appeared on The Legal Workplace Blog.