Laws affecting the monitoring of company information systems

Patrick H. Flanagan
(704) 940-3419
[email protected]
Norwood P. Blanchard
(910) 332-0944
[email protected]
Ryan D. Bolick
(704) 940-3416
[email protected]
Patricia L. Holland
(919) 424-8608
[email protected]
M. Robin Davis
(919) 424-8609
[email protected]
Ann H. Smith
(919) 424-8610
[email protected]
Blogging, Facebook,
T[sex]ting and
Twitter in the Work Place
What Has Been the Positive Impact of
Technology on the Workplace?
Instant transmittal of information
Rapid business transaction
Improved work flow
Increased practicality of the multi-office
 Increased practically, desirability and usage of
alternative working arrangements
What Has Been the Negative Impact
of Technology on the Workplace?
 Blogs have been used to criticize and
disparage employers.
 Confidential or embarrassing information can
be “leaked.”
 Social Networks are prime locales for sexual
 Internet use can reduce the productivity of the
employees if left unmonitored.
Social Networking Sites:
All the Rage
 Two-thirds of the world’s internet
population visit social networking or sites
 Facebook has more than 400 million users
 Use of Twitter has soared more than 1,200
 In February 2009, time spent on social
networks surpassed email for the first time
(Source: Teddy Wayne, “Social Networks Eclipse E-Mail,”
The New York Times, May 18, 2009)
Some Interesting Statistics
 25% have shared personal information
 MySpace currently has over 200 million
registered users.
 Facebook has over 300 million active users.
 Largest growth not by teenagers but by 25 to
Social Networking Sites:
All the Rage
Social Networking Sites:
All the Rage
Social Networking Sites:
All the Rage
What’s all the ‘Twitter’ at Work?
 22% of employees visit SNS 5 or more times per
week; 23% visit 1-4 times per week
 53% of employees say their SNS are none of their
employer’s business
 61% of employees say that even if employers are
monitoring their social networking profiles or
activities, they won’t change what they’re doing
 74% of employees say it’s a way to damage a
company’s reputation on social media
Source: 2009 Deloitte Ethics Workplace Survey
The Variety of Electronic Forums Increases
the Importance of Employer Vigilance
 E-mail
 Blogging
 YouTube
 Host sites
 Social Networking Sites
Is this the Image You Want for Your
What about this?
It’s Amazing What Folks Put on the
Internet for Everyone to See
It’s Amazing What Folks Put on the
Internet for Everyone to See
It’s Amazing What Folks Put on
the Internet for Everyone to See
Employment Issues Raised
by the Internet
 Can you discipline or terminate an employee for what
they say or do on the Internet?
Can you base a hiring decision on content about the
candidate on the Internet?
Do employees have an expectation of privacy regarding
employer email and computers?
What are the risks of defamation claims from electronic
employee postings?
What are the risks of sexual harassment claims arising
from internet use and what defenses are available?
How does electronic communication effect e-discovery
when claims or lawsuits are brought?
Would You Hire Him as an
Would You Still Hire Him as an
What about this candidate?
How About Her?
Common Risks of Internet Searches
 Problem:
A search may identify an applicant’s
protected characteristics such as medical
information prohibited under the ADA, race,
age, sexual orientation or marital status
 Solution:
Have a non-decision maker conduct the
search and filter out protected information
Common Risks of Internet Searches
 Problem:
Internet information may be inaccurate or
 Solution:
Carefully vet not only the candidate but the
source of information. Try to confirm
information obtained from the web.
Common Risks of Internet Searches
 Problem:
You learn about an applicant’s bankruptcy.
 Solution
Do not use information regarding prior
Common Risks of Internet Searches
 Problem:
You learn about an applicant’s arrest
 Solution
Do not use information regarding
Common Risks of Internet Searches
 Problem:
You learn about an applicant’s conviction.
 Solution
Use a background check that complies with
the Fair Credit Reporting Act and state law.
Common Risks of Internet Searches
 Problem:
You learn about an applicant’s workers’
compensation claim information.
 Solution
Do not use information regarding prior
workers’ compensation claims.
*Many states prohibit “retaliation” against current employees or
applicants on the basis of a current or prior workers’ compensation
Legal, Off-Duty Conduct
 § 95-28.2. Discrimination against persons
for lawful use of lawful products during
nonworking hours prohibited
Can an Employer Legally
Decide not to Hire a
Candidate Based on a
Review of Social
Networking Sites?
Yes, but beware.
If you are going to use SNS for hiring
(i) do so consistently
(ii) rely on objective criteria (preferably from a
job description)
(iii) make sure to comply with all third-party
terms of use agreements
(iv) make sure candidates are notified in
writing of the scope of the company’s
screening practices
And, remember, candidates may be
using SNS to investigate you:
Current Federal Law
 Wiretap Act
Prohibits “interception” of electronic
 Ordinary course of business exception
 One party consent
 Electronic Communications Privacy Act
 Prohibits interception of electronic
Current Federal Law
 Stored Communications Act
Prohibits unauthorized intrusions of stored
electronic information
 Provider exception with
notice to users
 National Labor Relations Act: Protected
 Affords employees (even those who are
not unionized) the right to engage in
“concerted activity”
Current Federal Law
 Fourth Amendment
Prohibits unreasonable searches and
 First Amendment
 retaliation for speaking matters of public
The Developing Case Law
 In Van Alstyne v. Elec. Scriptorium Ltd., 560 F.3d
199 (4th Cir. 2009), the company president accessed
the Plaintiff’s personal AOL email account for more
than a year after her termination
 At the time, the company was pursuing several
business torts against the Plaintiff
 The Plaintiff filed suit, alleging a violation of the
federal Stored Communications Act
 The Fourth Circuit Court of Appeals held she could
recover punitive damages and attorneys’ fees, even
in the absence of actual damages
The Developing Case Law
 In Pietrylo v. Hillstone Rest. Group d/b/a Houston’s
(D.N.J., No. 06-5754, jury verdict 6/16/09) two New
Jersey waiters were fired after their managers took
offense to comments they posted on a password
protected MySpace Account
A third employee claimed she was coerced to give the
managers the password
The federal Stored Communications Act makes it
unlawful to intentionally access stored electronic
communications without authorization
The jury awarded $17,003 in damages
Defendant also liable for Plaintiff’s attorneys’ fees
The Developing Case Law
 In Konop v. Hawaiian Airlines Inc., 302 F.3d 868 (9th
Cir. 2002), the employee created a website in which he
posted various bulletins critical of his employer, its
officers and the incumbent union. Through usernames
and passwords, he enabled other employees, but not
supervisors to have access to the site. A vice president
discovered the website and obtained permission from
an employee to log on. The president of the company
threatened to sue the employee for defamation based
on statements contained in the website.
The Developing Case Law
 The employee sued the employer alleging, among
other things, violations of the Railway Labor Act.
 The court held that the objectionable statements,
which included calling for other pilots to consider
another union, did make the website a protected
concerted activity.
The Developing Case Law
 In Stengart v. Loving Care Agency, Inc., 2009 N.J.
Super. LEXIS 143 (June 26, 2009), email letters were
sent by the Plaintiff to her attorney using the company
computer, but from her personal email account
 After the Plaintiff filed suit, the Defendant obtained a
forensic image of the hard drive from her computer and
found the letters
 The Defendant had clear policies that permitted it to do
 The court nonetheless held the attorney-client privilege
substantially outweighed the Defendant’s argument the
emails were company property because they were sent
from a company laptop
The Developing Case Law
 In Brown-Criscuolo v. Wolfe, 601 F. Supp. 2d 441 (D. Conn.
2009), a school principal sued the Superintendent of Schools
claiming the Superintendant had engaged in an improper search
of her emails in violation of the Fourth Amendment as well as
other claims under State and Federal Law
 The principal had some concerns about how the Superintendent
was administering special educational programs; as the dispute
appeared to escalate, the principal took an extended medical
leave, and she was temporarily replaced
 While she was on leave, the Superintendent accessed her e-mail
account and found attached a letter she had prepared to her
attorney outlining her concerns about how the District was
handling special education programs; this e-mail was forwarded
and opened by the Superintendent
The Developing Case Law (Wolfe cont’d)
 The school district had a policy which granted a “limited
expectation of privacy” to the contents of employees’ personal
files on the system; the district’s policies also referred to
monitoring the system to determine if “disciplinary or legal
violations occurred.”
 The district’s policies also provided for “[r]outine maintenance
and monitoring of the system may lead to discovery that the
user has or is violating” the district’s rules
 The court concluded the principal had a reasonable expectation
of privacy in the emails because, among other things, the
district did not “routinely monitor” the e-mail accounts of
employees, and the policy provided that employees have a
limited expectation of privacy
The Developing Case Law
In Quon v. Arch Wireless Operating Co. Inc., 554 F.3d 769 (9th
Cir. 2008) cert. granted (Dec. 14, 2009), police officers sued a
wireless provider who provided texting services, when the
wireless provider gave the employer transcripts of their text
The text messages were sent via department issued equipment,
and the employer had a policy requiring the City’s equipment to
be used only for business purposes. The policy also stated the
use of City computers would be monitored and use was
restricted to business purposes.
Nevertheless, the department had never previously monitored
the officers’ text messages prior to conducting this audit. Thus,
even if the City had an applicable “business use” policy, as to
the officers and the use of this equipment, it was largely
The Developing Case Law (Quon cont’d)
The department instead adopted a practice of requiring each
officer to pay a portion of the bill, over a set amount, without
performing any audit as to whether the use of these devices
was strictly for business
Despite the language of the policy covering City issued
equipment and specifically stating “the user should have no
expectation of privacy or confidentiality when using these
resources;” the court ruled the practice of not previously
auditing the messages created an impression text
communications were private
The court also ruled the scope of the search was
unreasonable, because less intrusive alternatives were
This case is now on appeal to the U.S. Supreme Court
What can employers do?
 Employers have the right to monitor how their
employees use their computer networks.
 Employers should ensure monitoring is based on
legitimate needs and limited in scope to achieve
those needs.
 Does the employee have a reasonable
expectation of privacy and what has the
employer done to limit that expectation?
 Give your employees notice of monitoring
Many Employers are Still Behind
the Policy Curve
 45% of employers do not have a social
media policy
 28% are working on developing one
 27% have a policy in place
Source: The Buck Consultants/ IABC 2009 Employee Engagement
So How Are Employers Dealing
With These Risks?
Visiting SNS During Work Hours:
Prohibited completely
Permitted for business purposes only
Permitted for limited personal use
Permitted for any type of personal use
Don't know/no answer
The Basics of a Policy
 Business use only/limited personal use
 Information created by or stored on the Company’s systems is the
Company’s property
 Company reserves the right to monitor the use of electronic resources
 Remind employees that it expects employees to comport themselves
professionally both on and off duty
 Remind employees of the company’s harassment and discrimination
 The storing of electronic information on portable devices without prior
approval is prohibited
 Forwarding of Company information to personal e-mail accounts is
 No one may access, or attempt to obtain access to, another’s
electronic communications without appropriate authorization
Other Elements of Policy
 The Company’s systems may not be used for any illegal activity,
including downloading or distributing pirated software or data
The Company’s policies governing the use of company logos, and
other branding and identity apply to electronic communications
The Company reserves the right to take disciplinary action if the
employee’s electronic communications violate company policy
Employees must abide by non-disclosure and confidentiality
Employees prohibited from making defamatory or discriminatory
comments when discussing the employer, superiors, co-workers
and/or competitors
Employees must comply with all other company policies with respect
to their electronic communications (rules against conduct may result
in harassment)
Employees bear full responsibility for the material they post on
personal blogs, social networks, Web sites, etc.
What about texting?
 N.C. Gen. Stat. § 20-137.4A makes it
illegal to text while driving.
Publish Your Policies
Employee Handbooks
Policy Manuals (as a stand alone policy)
Paycheck reminders
Annual or more frequent e-mail reminders
Post on Bulletin Boards
What About Privacy in Personal Emails,
Instant Messages, Blogs, and Websites?
 In Fischer v. Mt. Olive Lutheran Church, 207 F. Supp 2d.
914 (W.D. Wis. 2002), co-workers overheard a children’s
pastor discussing lewd acts over the church telephone.
The head pastor hired a technology expert to examine
the church’s computer and access a personal email
account. The children’s pastor was terminated and sued
the church for violating his
 The court found issues of material fact as to whether:
 (1) accessing the employee’s personal account would
be highly offensive to a reasonable person;
 and (2) whether an employee’s email account is a
place a reasonable person would consider private.
What About Privacy in Personal Emails,
Instant Messages, Blogs, and Websites?
 In Thygeson v. U.S. Bancorp, 2004 U.S. Dist. LEXIS 18863
(D. Or. Sept. 15 2004), the court held an employee had no
reasonable expectation of privacy in the internet websites he
accessed while using his work computer. The plaintiff was
fired for excessive internet use and storing sexually
inappropriate emails, from his web account, on the company
network. The plaintiff sued, claiming the company invaded his
privacy by monitoring the internet sites he visited.
 The court rejected the plaintiff’s claim, distinguishing the facts
in the Fischer case: The church accessed the contents of
emails on the plaintiff’s personal email account by guessing
at his password, but in this case, the company accessed the
record of the addresses of the web pages the employee had
What About Privacy in Personal Emails,
Instant Messages, Blogs, and Websites?
 Neither Fischer nor Thygeson resolved the issue of whether
there is a reasonable expectation of privacy in content
contained on third-party servers accessed through an
employer’s computers. Arguably, an employer will be less likely
to be found to have invaded an employee’s privacy if the
 monitors only its own networks;
 does not monitor website content;
 has an electronic communications policy in place which
provides the employer may access emails at any time, and
there is no expectation of privacy in such communications;
 requires employee acknowledgement of the policy.
Employee Privacy vs. Employer
 How far can employers go in monitoring employees’ electronic
communications? It depends.
Private sector employees have no inherent constitutional
right to privacy.
However, employer conduct is limited by common law
principles and federal and state privacy laws.
The Fourth Amendment of the U.S. Constitution prohibits
unreasonable searches and seizures by the government.
This protection does not apply to private sector employees.
However, the right to privacy has been expanded to protect
individuals from unreasonable searches by private parties,
which can form the basis for other types of claims.
Employee Privacy vs. Employer
 In Smyth v. Pillsbury Co., 914 F. Supp 97 (E.D. Pa. 1996), an
employee was discharged for sending “inappropriate and
unprofessional comments ” to a supervisor via the employer’s
email system. The employer had assured its employees that all
email communications would remain confidential and would not
be reviewed and used as a basis for termination. Nonetheless,
the employee’s communications were reviewed and used as
the basis for termination.
 The employee sued the company for wrongful termination,
claiming the employer violated “public policy” by invading his
privacy. The court rejected the claim, reasoning that once the
employee voluntarily communicated the comments
to a
second person (his supervisor) over the company email system
utilized by the entire company, any reasonable expectation of
privacy was lost.
Employee Privacy vs. Employer
 Other courts have reached similar results:
McLaren v. Microsoft Corp., 1999 Tex. App. LEXIS 4103
(Tex. App. May 28, 1999) – no reasonable expectation of
privacy for password protected personal folders on
company network accessed through a company
TBG Insurance Services Corp. v. Superior Ct., 96 Cal.
App. 4th 443 (Cal Ct. App. 2002) – no reasonable
expectation of privacy in an employer-owned computer
located at employee’s home
Garrity v. John Hancock Mutual Life Insurance Co., 2002
U.S. Dist. LEXIS 18863 (D. Or. Sept. 15, 2004) – no
reasonable expectation of privacy in personal folders on
company network and accessed Internet sites
Privacy in e-mails
 Courts more inclined to rule in favor of an
employer if:
Employer owns the computer and the e-mail
Employee voluntarily uses an employer’s
Employee consented to be monitored (usually
based in written personnel policy)
Note to Self:
 Don’t friend your boss on facebook and
then complain about your job:
Fired for Facebook in Philly!
 In March 2009, the Philadelphia Eagles fired
a six year employee for posting a critical
message about the team on his Facebook
 The employee wrote, “I am f---ing devastated
about [Brian] Dawkins signing with Denver…
Dam Eagles R Retarded!!”
 Despite removing the message and
apologizing, the Eagles fired him in a
telephone call.
On Company Time: Taxpayers’ Dime
is Facebook and Twitter Time
 On October 29, 2009, the Boston Herald ran a
series of articles on the Facebook and Twitter
exploits of Amy Derjue, an employee working for
City Council President, Michael Ross.
 Ms. Derjue was exposed for posting 40
Facebook postings from October 12th through
the 28th during working hours. Only two
postings were related to her job as Ross’
Communications Director.
 Perhaps most damaging, Ms. Derjue posted that
she was going to sleep at the latest the City
Council meeting.
How to get fired in 140 characters
or less:
“Cisco just offered me a job! Now I
have to weigh the utility of a fatty
paycheck against the daily commute to
San Jose and hating the work.”
How to get fired in 140 characters
or less:
 Connor Riley, a 22 year old college student sent out
the tweet and received this tweeted response from
Time Levad, “channel partner advocate” for Cisco
 “Who is the manager. I’m sure they would love to
know that you will hate the work. We here at Cisco are
versed in the web.”
Dealing with employees who
misuse electronic communications
Could the employee be protected under a whistleblower
Was the communication a “legal off-duty activity” which
may protected by state law?
Was the communication related to political activities or
Is the speech protected by the First Amendment?
Was the communication protected Section 7 activity
under the National Labor Relations Act?
Would discipline of the employee violate any antidiscrimination or anti-retaliation laws?
Advice from an Employee
Terminated for Blogging
 Terminations based on employee blogging have been termed
being “dooced” after the blog,
 “I started this website in February 2001. A year later I was
fired from my job for this website because I had written
stories that included people in my workplace. My advice to
you is BE YE NOT SO STUPID. Never write about work on
the internet unless your boss knows and sanctions the fact
INTERNET. If you are the boss, however, you should be
aware that when you order Prada online and then talk about
it out loud that you are making it very hard for those around
you to take you seriously”
Follow-Up Questions?
Contact Us.
Patrick H. Flanagan
(704) 940-3419
[email protected]
Norwood P. Blanchard
(910) 332-0944
[email protected]
Ryan D. Bolick
(704) 940-3416
[email protected]
Patricia L. Holland
(919) 424-8608
[email protected]
M. Robin Davis
(919) 424-8609
[email protected]
Ann H. Smith
(919) 424-8610
[email protected]

similar documents