A New Jersey hospital's union president brought suit against the hospital alleging violations of the federal Electronic Communications Privacy Act, New Jersey Wiretapping and Electronic Surveillance Control Act, invasion of privacy and other laws as a result of a hospital supervisor's demand that an employee provide access to the union president's Facebook page. Ehling v. Monmouth Ocean Hospital Service Corp., D.N.J., No. 11-3305, (May 30, 2012).
The union president's Facebook page was limited such that only her approved "Facebook friends" could access and view her postings. Many hospital employees were Facebook friends with the president. Unfortunately, none of the hospital's management was Facebook friends with the union president, with which they were clearly dissatisfied.
Undeterred by their unfriended status, a hospital supervisor summoned into an office an employee who had been friended, and allegedly coerced, strong-armed and/or threatened the employee into accessing the union president's Facebook page on a hospital computer. According to the union president, the supervisor viewed and copied the Facebook postings.
The hospital then sent letters regarding the union president's Facebook postings to various licensing agencies alleging that her postings that were unrelated to patient care at the hospital "showed a disregard for patient safety." No violation of patient privacy was asserted by the hospital. The union president asserted that the letters were malicious attempts to attack her personally, damage her reputation and employment opportunities and impair her licenses and certifications.
Ruling on the hospital's motion to dismiss, the court found that the New Jersey Wiretapping and Electronic Surveillance Control Act was not violated as the complaint did not allege that the plaintiff's Facebook posting was in the course of transmission when the hospital supervisor viewed it. The New Jersey Wiretapping and Electronic Surveillance Control Act generally prohibits knowingly accessing without authorization a facility through which an electronic communication service is provided or exceeding an authorization to access that facility, if the person thereby obtains, alters or prevents authorized access to an electronic communication while that communication is in electronic storage.
With respect to the claim for common law invasion of privacy, the hospital argued that the union president did not have a reasonable expectation of privacy in her Facebook postings. While the court acknowledged that privacy in social networking is an emerging, but underdeveloped, area of case law, it nonetheless adopted the emerging concept of "limited privacy," which is "the idea that when an individual reveals private information about herself to one or more persons, she may retain a reasonable expectation that the recipients of the information will not disseminate it further."
Under the limited privacy standard, the court found that the union president stated a plausible claim for invasion of privacy and may have had a reasonable expectation that her Facebook postings would remain private, considering that she actively took steps to protect her Facebook page from public viewing, and notwithstanding the fact that she had a large number of Facebook friends.
Whether the union president actually had an objectively reasonable expectation will ultimately be determined at trial, but the message is clear that providers must exercise caution in how they gain access to employee and union representative's electronic data.