Delaware Social Media Privacy Law Moves Ahead

At our Annual Employment Law Seminar last week, I spoke about the “Facebook Privacy” bill that was then pending in Delaware’s House of Representatives.  The bill passed the House on later that day and is now headed to the Senate.  For those of you who weren’t in attendance last week, here’s a brief recap of the proposed law. 

The stated purpose of HB 109 is to protect individuals’ privacy in their personal social media accounts.  Generally speaking, HB 109 would prohibit employers from requiring or requesting that an employee or applicant give the employer access to their personal social-media accounts-either by giving up their passwords or by logging in and letting the employer take a look (also known as “shoulder surfing”). 

As we all know, though, with any law, the devil is in the details.  And there are, not surprisingly, a few devilish details.  For example. . .

HB 109 prohibits an employer from asking an employee (or applicant) from disclosing “a username . . . for the purpose of enabling the employer to access personal social media.”  As written, that would mean that an employer could not ask a candidate what his or her Twitter handle is.  Twitter is, generally speaking, a publicly available site. 

So an applicant could have a public Twitter account, where he tweets racist or sexist speech or talks about how he likes to steal money from his current employer, but the employer wouldn’t be able to ask about it?  Huh?  I supposed we’d just have to wait till discovery in a lawsuit before we could ask for that (public information)?  Not my favorite part of this law.

There are other confusing parts of HB 109 that I think likely are unintended consequences of the legislation.  But, with 38 votes in favor and none against, it appears that the unintended consequences are well on their way to becoming law.  We’ll see what the Senate has to say about it and will be sure to keep you updated.  In the meantime, you can track HB 109 here.

Lawsuits, Discovery, and the Right to Privacy In the Context of Social Media

A party’s “right to privacy” in the context of social media is the subject for numerous motions in civil litigation.  The scenario goes like this:  Plaintiff sues defendant, alleging injuries.  Defendants seeks discovery of Plaintiff’s social-media content, such as photos, posts, and comments, in the hopes of disproving liability and/or damages.  Plaintiff claims right to privacy in social-media content.  Court must decide.logo_from_dev

Because these cases are so fact specific, it can be difficult to extract a single principle or set of guidelines from their holdings.  But a recent case from an appellate court in Florida is a terrific example of the basic balancing act.

In Nucci v. Target Corp., the plaintiff claimed to have suffered physical injuries while shopping at a Target store.  Target sought to discover photographs of the plaintiff from her Facebook account going back two years before the incident through the present.  Target claimed that the photos would go to the quality of the plaintiff’s life before and after the accident to determine the extent of her loss.

The trial court agreed and ordered the plaintiff to produce the pictures.  The plaintiff appealed.  On appeal, the court examined in detail the balance between a party’s “right to privacy” and another party’s right to take broad discovery in civil litigation.  In the end, the appellate court agreed with Target and upheld the trial court’s ruling, ordering the plaintiff to produce the photographs.  I agree with the court’s ruling and find some of the points made in its opinion to be of particular interest.  Here are a few highlights.

First, unlike most states, individuals in Florida have a constitutional right to privacy.  In Delaware and most other states, there is no such right.  There is a federal constitutional right of privacy but that extends only to actions taken by the government.  So, for example, in Delaware, in order to claim privacy as a basis to avoid similar discovery, it would have to be the government seeking to obtain the pictures.  Thus, the Florida court had to address the privacy issue as an additional step over and above what would be protected in most other states.

With respect to privacy, the court explained that the right of privacy does not attach unless and until there is a “legitimate expectation of privacy.”  Here, the court concluded that, “generally, the photographs posted on a social networking site are neither privileged nor protected by any right of privacy, regardless of any privacy settings that the user may have established.”  The court agreed with other courts that have found that there is no “special privilege” or other protections for content shared via social-networking site.

Second, the court recognized the potential value of information and evidence shared via Facebook or other similar site.  The court explained that, particularly in a personal-injury claim,

. . . there is no better portrayal of what an individual’s life was like than those photographs the individual has chosen to share through social media . . .

Thus, the court held, the photographs sought by Target were “powerfully relevant” to the issue of damages.

This decision is so thoughtful and well written that it is, in my opinion, a leading example for other courts to follow when faced with decisions about what can and should be produced during litigation from a party’s social-networking accounts.

Nucci v. Target Corp., No. 4D14-138, 2015 Fla. App. LEXIS 153 (Fla. Ct. App. 4th Dist. Jan. 7, 2015).

See also:

How NOT to Produce Facebook Evidence

Waiver of Attorney-Client Privilege Via Facebook

Delaware Supreme Court Rules On Admissibility of Facebook Evidence

Discovery and Preservation of Social Media Evidence

Court Finds Duty to Preserve Personal Emails of Employees

Discovery of Social-Media Passwords

Delaware Chancery Ct. Finds No Privilege for Email Sent from Work Account

Employer Failure to Preserve Employee Social-Media Evidence

Is There a Reasonable Expectation of Privacy In Your Tweets?

EEOC Sanctioned for Failure to Produce Social-Media Evidence

Employees Must Turn Over Facebook Info For Harassment Claim

Discovery of EEOC Claimants’ Social-Media Posts

Call Me, Maybe. Discovery of Employee Identities

Spoliation of Facebook Evidence

Facebook Threats Constitute Legitimate Grounds for Termination

Earlier this week, I wrote about the issue of threats made via Facebook constitute constitutionally protected speech.  Today’s post also is about threats made via Facebook but in the context of the workplace.  The case, decided by the Court of Appeals of Ohio, is timed perfectly for my road trip tomorrow to Ohio. social media letterpress_3

In Ames v. Ohio Department of Rehabilitation & Correction, an employee, a Senior Parole Officer, was sent for an independent medical exam after she posted a Facebook comment that her employer believed to be a threat.  The comment was in reference to shooting parolees.  The employee claimed that the comment was a joke.  The psychologist who conducted the exam cleared her to return to work, finding no evidence of depression, anxiety, or mood disturbance.

A few months later, the employer received an “anonymous” complaint that the employee was using her state-issued computer for non-work purposes.  It turned out that the complaint actually was made by the new partner of the employee’s ex-girlfriend.  The new partner, of course, was a co-worker. There was an investigation and the employee was issued a written reprimand.

A few months later, the co-worker (partner of employee’s ex), files an incident report alleging that the employee had sent a threatening text message to the co-worker and the ex.  A few weeks later, the employee filed an incident report against the co-worker, alleging that the co-worker had used a state computer for, you guessed it, non-work-related purposes. An investigation was begun.

Days later, the co-worker notified the employer that the ex had filed for an order of protection against the employee.  In the motion, the ex claimed that, two years earlier, the employee had held a gun to her head.  The employee denied that any such incident had occurred.

In any event, the employer sent the employee off for a second IME, this time to discover whether she had a “propensity for violence.”  Now, I’m no psychologist, but I’m pretty sure that there’s no widely accepted methodology for determining whether a person has a “propensity for violence.”  Apparently, the psychologist who conducted the IME had similar doubts and gave an inconclusive report, failing to address whether the employee had any such “propensity.”  So the employer sent her off for a third IME, this time specifically asking the examiner to make such a conclusion.

The examiner declined to make such a finding, explaining that there is (as I believe I may have mentioned) no reliable way to make such a determination.  Nevertheless, a few months later, the employee posted a threatening message on Yahoo! Messenger to the ex.  She denied sending the message but resisted the employer’s attempts to determine if the account had been hacked.  As a result, she was terminated for the threat and for failing to cooperate in an investigation.

The employee sued under the disabilities laws, claiming she’d really been terminated because the employer perceived her to be disabled.  The employee lost, appealed, and lost again.

So, what are the lessons to be learned here?  Oh, my, there are so many.  Too many to discuss in full so I’ll give you the redux in bullet points:

1.  Love triangles in the workplace usually end badly.

2.  Threats of violence made via Facebook can serve as grounds for discipline.

3.  Failure to cooperate in an investigation constitutes grounds for discipline.

Ames v. Ohio Dep’t of Rehab. & Correction, 2014-Ohio-4774 (Oct. 28, 2014).

Issue of Threats via Facebook Heads to the Supreme Court

The intersection of Facebook use and Free Speech is complicated.  Complicated enough, in fact, that the U.S. Supreme Court will weigh in on the subject when it decides a case it is scheduled to hear argument in today, Elonis v. United States. text message speech bubble or twitter keyboard_3

The basic legal principle at issue is what constitutes a “true threat.”  It is a crime to use the phone or Internet to make a “threat to injure” another person.  And “true threats” are not protected as speech under the First Amendment.  So, “true threats” to injure another made via Facebook can be punishable as crimes.  Otherwise, the speech would be protected by the constitution and could not be considered criminal.

But what’s a “true threat?”  Is that question to be answered by the “reasonable person” who would be subject to the threat?  Or does the speaker have to have intended his words as a threat to constitute a criminal act?

In Elonis, the defendant was arrested after making violent threats directed to his ex-wife (and others).  At trial, he testified that he did not intend to frighten anyone and compared his posts to rap lyrics.  The jury didn’t buy it and found that a reasonable person would have viewed the posts as “true threats.”  So now the Supreme Court will decide what the “true test” for “true threats” should be.

The legal issue may appear easier than it is.  The facts of the case may make the speech and speaker less sympathetic.  For example, his Facebook comments included the following about his wife, after she left with their two children:

If I only knew then what I know now, I would have smothered [you] with a pillow, dumped your body in the back seat, dropped you off in Toad Creek and made it look like rape and murder.

He later posted, “I’m not gonna rest until your body is a mess, soaked in blood and dying from all the little cuts.”  And, when a court issued the wife a protective order, Elonis posted whether it was “thick enough to stop a bullet.”  He also threatened to kill an FBI agent and to slaughter a class of kindergarten students, reports the LA Times.

Three Tips for Protecting Your Electronically Stored Confidential Information

Employers, do you know what apps your employees are using?  That’s the question posed by a recent article in the WSJ.  (See Companies Don’t Know What Apps Their Employees Are Using).  My guess is that the answer to this important question is, “No.”  Here are my top tips for how not to be the employer discussed in the WSJ article. cloud storage file cabinet drawer and folders_3

First, have a policy about employees’ use of cloud-based apps to save work-related documents.  Consider prohibiting employees from saving work documents to cloud-based storage accounts such as Dropbox, SkyDrive, and Box.net.  Also consider prohibiting employees from backing up the contents of their work laptops to cloud-based back-up accounts, such as Mozy and Carbonite.

Second, communicate your policy to all affected employees.  If employees don’t know about the prohibitions, your policy is unlikely to have the desired deterrent factor.  This means that your policy needs to be written in plain English and that it should be publicized to employees in a way that will actually be heard.

Third, enforce the policy.  Don’t make exceptions.  If an employee violates the policy, the employee should be disciplined accordingly.  Even if the employee is your favorite employee.  And even if the employee complains a lot about the policy-and claims that he or she needs the online storage and/or back-up accounts.  The answer is “no.”  And that answer must be consistent, regardless of how loudly an employee complains.

As a bonus point, I’ll note that employers should consider having all employees execute a confidentiality agreement.  The agreement can be very brief-a paragraph long does the trick, most of the time.  But the key is to have all employees execute the document.  And, ideally, have the employees reaffirm their adherence to the confidentiality agreement on a yearly basis.

A lot of additional work?   Yes.  But, if you have an employee who defects to a competitor and takes with him several gigabytes worth of your confidential data, the extra “work” will be worthwhile.  You’ll be glad you have taken these steps-and don’t hesitate to thank me for the great suggestions.

A Perk of BYOD Policies at Work

Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer-particularly when the new employer is a competitor.   When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue. privacy policy with green folder_thumb

Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network.  But what if the employee turns over his personal emails or text messages without realizing it?  The answer is, as always, “it depends.”  A recent case from a federal court in California addresses the issue in a limited context.

After the employee resigned, the employer sued him for misappropriating trade secrets.  He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws.  The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.

All of the employee’s counter-claims were dismissed by the court.  The court found that the Wiretap Act claim failed because there was no allegation that the employer had intentionally intercepted any messages.  The SCA claims failed because there was no allegation that the employer had accessed any messages.  And, perhaps most obviously, the privacy claims failed because the employee could not have had a reasonable expectation of privacy.

The court specifically found that the employee had “failed to comport himself in a manner consistent with objectively reasonable expectation of privacy” by failing to unlink his old phone from his Apple account, which is what caused the transmission of his text messages to his former employer.

Sunbelt Rentals, Inc. v. Victor, No. C 13-4240-SBA (N.D. Cal. Aug. 28, 2014).

See also

Too Creepy to Win: Employer Access to Employee Emails

Traveling for Work and Late-Night Emails

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Keeping Secrets on Social Media: Part II

Employees telling secrets online was the subject of yesterday’s post, Keeping Secrets on Social Media.  Today’s post–a continuation of the theme from yesterday–is about “auto-expire” apps.

telling secrets_thumb

An “auto-expire” app is an app that enables users to set an automatic expiration date and time for social-media or other online content.  There are lots of reasons one would use an auto-expire app but the three that come immediately to mind are regret, efficiency, and secrecy.

Social-media regret is nothing new.  Just last summer, I wrote a post about social-media regret syndrome.  Auto-expire apps like Xpire, for example, allow users to set expiring posts for Facebook, Twitter, and Tumbler.

Efficiency also is a reason to consider these apps. You don’t need to keep (or have others keep) the series of text messages exchanged about where to meet for lunch.

But secrecy, in my opinion, is the most prominent reason for the increased interest in these auto-expire apps.  In the employment context, there may be security reasons for having highly confidential discussions automatically deleted forever.  Apps like Wickr (branded as “a top-secret messenger), are targeted to businesses for exactly that reason.  Wickr advertises that messages sent through the app contain no geolocation data and are not tracked or monitored–what’s yours is yours and cannot be accessed by the host site.

Be careful, though, about what you send through these apps–people are often surprised by the utility of having access to evidence in the form of contemporaneous posts and conversations.  But, for certain exchanges, you can imagine the equally powerful utility of having an untraceable and permanently deleted line of communications.