Employer access to employee email and social media accounts is one of the hottest topics in employment law right now. Employer conduct in this area implicates numerous laws, including discrimination, whistleblowing, protected concerted activity, off-duty conduct statutes, the attorney-client privilege and, of course, invasion of privacy.
A few months ago, the District of New Jersey had the opportunity to address privacy concerns associated with employee social media postings. In Ehling v. Monmouth-Ocean Hospital Service Corp., 2012 WL 1949668 (D.N.J. May 30, 2012), the plaintiff — a registered nurse, paramedic and acting president of the local union — maintained a private group within her Facebook account, where only those who were her Facebook “friends” were permitted to access and view postings on her Facebook “wall.” While the plaintiff invited many of her co-workers to be her Facebook friends, she did not invite any members of management. In fact, as alleged in the complaint, significant animus apparently existed between the plaintiff and the management, allegedly stemming from the plaintiff’s union activities and her deposition testimony in a lawsuit filed by employees against Monmouth-Ocean Hospital (MONOC).
MONOC purportedly gained access to the plaintiff’s private Facebook account by having a supervisor summon one of Ehling’s co-worker Facebook friends into the supervisor’s office, at which time the supervisor “convinced” the employee to access his Facebook account on the supervisor’s work computer. The supervisor viewed and copied the plaintiff’s Facebook postings. One such posting was a comment the plaintiff made regarding a shooting that took place at the Holocaust Museum in Washington, D.C., stating:
An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards ….go to target practice.
MONOC sent letters regarding the plaintiff’s Facebook posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services. The letters stated that MONOC was concerned that the plaintiff’s Facebook posting showed a disregard for patient safety (given the post’s insinuation that the paramedics acted inappropriately in saving the shooter’s life).
Ehling filed a complaint, alleging, in pertinent part, invasion of privacy (intrusion upon seclusion) and violations of the New Jersey Wiretap Act (N.J.S.A. 2A: 156A–27). MONOC moved to dismiss those claims.
The district court dismissed the Wiretap Act claim, because the act “protects only those electronic communications, which are in the course of transmission or are backup to that course of transmission.” Given that the reviewed posting was in post-transmission storage at the time of access, the communication did not fall under the purview of the Wiretap Act.
However, the employer did not fare as well on Ehling’s invasion of privacy claim. Under New Jersey law, to state a claim for intrusion upon one’s seclusion, a plaintiff must allege sufficient facts to demonstrate that: (1) her solitude, seclusion or private affairs were intentionally infringed upon; and that (2) this infringement would highly offend a reasonable person. Judge Martini explained that “[p]rivacy in social networking is an emerging, but underdeveloped, area of case law.” While the law is clear that there is no reasonable expectation of privacy for material posted to an unprotected website that anyone can view, there are cases holding that there is a reasonable expectation of privacy for individual, password-protected online communications. Here, “given the open-ended nature of the case law,” Judge Martini concluded that Ehling may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing. More importantly, he explained, reasonableness (and offensiveness) are highly fact-sensitive inquiries not amenable to dismissal at the pleading stage.
Ehling is not the first time the District of New Jersey has protected employee social media postings. In Pietrylo v. Houston’s Restaurant, 2009 WL 3128420 (D.N.J. Sept. 25, 2009), the district court upheld a jury’s verdict that Houston’s violated the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., by accessing its employees’ private MySpace chat group.
In Pietrylo, two employees of Houston’s Hackensack restaurant set up an invitation-only MySpace chat group (the “Spec-Tator”) “to vent about any BS we deal with [at] work without any outside eyes spying in on us.” The initial posting further indicated: “This group is entirely private, and can only be joined by invitation.” It invited participants to “[l]et the s* *t talking begin.” Posts on the site included sexual remarks about management and customers, jokes about Houston’s customer service, references to violence and drug use and a copy of a new wine test that was to be given to employees.
Upon learning of the Spec-Tator, a Houston’s supervisor requested, and obtained, the access password from one of the Spec-Tator employee invitees. The supervisor then used the password to log on to the site and review its contents. The supervisor then shared the password with other members of management, including the human resources department, which also accessed the site. Based on the content of the postings, Houston’s terminated the two employees who set up the site. The two terminated employees sued the company for violating the federal and N.J. wiretap laws, the SCA (and N.J. parallel), wrongful termination in violation of public policy and invasion of privacy.
The jury found for the employees on the SCA claim, and awarded them lost wages and punitive damages. The SCA makes it an offense to intentionally access stored communications without authorization or in excess of authorization. Critical to the liability finding was the testimony of the co-worker invitee that she felt compelled to give her password to her supervisor (“I felt that I probably would have gotten in trouble”), and that she would not have given the supervisor the password if he had not been a manager. The court concluded that these facts arguably established access without authorization.
The bottom line from Ehling and Pietrylo is that New Jersey employers who request or gain access to password-protected private employee social-media sites are treading very close to, or crossing into, illegal activity. Not to mention the pitfalls employers can fall into by taking adverse action based upon the posts they locate.
New Jersey, as usual, is at the forefront concerning employee protection vis-à-vis these issues. In that regard, on May 10, two Democratic assemblymen introduced a bill (A-2878) that would bar New Jersey employers from requiring applicants or current employees to provide their social media usernames or passwords, and would prohibit employers from requiring or requesting a current or prospective employee to disclose whether he has a personal account. Such laws have already been passed in Maryland and Illinois, and, as of the time of this article’s drafting, are under consideration in a handful of other states, including New York, California, Massachusetts, Minnesota and Michigan. There is also federal legislation in the works.
The proposed New Jersey bill provides for civil lawsuits, where employees can obtain injunctive relief, compensatory and consequential damages, reasonable attorney fees and court costs, and employers can be assessed civil penalties.
Under pressure from the business community, the General Assembly amended the bill on June 21 to reflect that it only applies to exclusively “personal” social networking accounts, as opposed to those which are related to “any business purposes of the employer” or used to “engage in business related communications.” It is unclear whether LinkedIn would be excluded under this “employer business” exception, or whether postings similar to those in Pietrylo, which, in part, dealt with the employer’s business practices, would fall outside the bill’s ambit. Further, the amended bill clarifies that it is not intended to prevent an employer from complying with other state or federal laws, which could include such things as employer investigations of harassment claims or insider trading, which may require access to otherwise private postings. Finally, the amended bill states that it is not intended to interfere with employer policies regarding employer-issued electronic communication devices. Employers are wise to have policies in place which address the permissible uses of the electronic devices they issue to their employees.
On June 25, the Assembly overwhelmingly passed this amended bill. On Sept. 20, the Senate Labor Committee advanced the bill to the full Senate, after rejecting an attempt by a Republican senator to remove the civil lawsuit component. Employers should continue to monitor this bill and other developments in the case law concerning these issues.■