But not so fast! The law on social media use and privacy is still developing, and these situations are still a balancing act for employers. The courts, legislatures and the National Labor Relations Board are slowly developing limits to an employer’s ability to access and regulate an employee’s social media communications, and we are still in a veritable “Wild West” with respect to social media issues.
Years before the current pervasive use of social media, Congress passed the Stored Communications Act, which was aimed at protecting the privacy of internet and other electronic communications. The act, which pertains to anyone, not merely employers, and provides criminal penalties for unlawful access to stored communications, where such is “without authorization.” Other states, such as California, have passed their own versions of the SCA prohibiting unauthorized access to employee social media accounts.
Courts are also slowly developing guidelines in response to cases involving adverse employment actions taken by employers in reaction to an employee’s social media posts. The key issue from the case law is the employee’s expectation of privacy in their social media accounts and whether an employer’s access to the social media account could be said to have been “authorized” or at least involve no wrongdoing.
In a case involving employees from a Houston’s Restaurant chain, Pietrylo v. Hillstone Restaurant Group, an employee maintained a personal chat group on MySpace during non-work hours that was accessible only by electronic invitation from the plaintiff and use of a personal password. The site included a statement that the group was private and should be used by Hillstone employees to “vent about any BS we deal with at work without any outside eyes spying on us.” The employee who started the site then exclaims, “Let the s—t talking begin.” The posts also included sexual remarks about management and customers of Houston’s.
An employee member of the chat group showed the communications to her manager, who then asked the employee for the password to the account. Believing she would be in trouble if she didn’t provide the password to her manager, she did so.
The posts were then circulated among management, who in turn fired the chat group founder and another employee, finding that the content contradicted Houston’s core values. The two employees sued and a jury found Hillstone liable for violation of the SCA, awarding them both compensatory and punitive damages. The jury expressly found that the employer’s access to the chat room page was unauthorized, since the employee who reluctantly turned over her password to the manager had not done so voluntarily. The result was upheld by the court although Hillstone had requested a new trial, because the employee who gave her password to a manager felt she would “get in trouble” if she did not provide the password. It was deemed as “unauthorized” access to the MySpace account by the employer and a violation of the SCA.
But in another similar case, Ehling v. Monumouth-Ocean Hospital Service Corp., a court reached a different result. There, a nurse (who was active in union matters) posted a note on her Facebook page after paramedics had saved the life of the suspect in a shooting at the Washington, D.C., holocaust museum. Her post stated: “I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards … go to target practice.”
One of the nurse’s supervisors had friended her and saw the post and turned it over to a hospital manager. The hospital then sent letters regarding the nurse’s posting to the New Jersey board of Nursing and Department of Health stating that the hospital was concerned that the nurse’s Facebook posting showed a disregard for patient safety. The nurse then sued the hospital for invasion of privacy and damage to her reputation. But the court ruled in favor of the hospital, finding that the manager had not directly accessed the nurse’s account and was only shown the post by someone the nurse authorized to view it.
This second case more closely mirrors the facts regarding the demoted employee discussed above. There, since the employer did nothing unauthorized to access the Facebook post, but instead was simply given the post by an employee who was authorized as a “friend” of the employee, there was no violation of the nurse’s right of privacy to her Facebook account. Given the vulgar and threatening nature of the post on Facebook, the company would be well justified in using the post to make any adverse employment action it felt was appropriate.
These cases show us that the law in the area of social media and the workplace is far from settled. There are many other issues not touched upon here, including NLRB decisions limiting access to and use of employee’s social media where it is deemed related to union organizing, and questions about employers’ demand for social media access from prospective employees during the hiring process. Suffice it to say, while the law is still in its infancy and court rulings are unpredictable, employers should err on the side of respecting employees’ privacy regarding their social media accounts.
Robert S. Cooper is the co-chair of the Labor & Employment Group and a shareholder at Buchalter Nemer.