By way of legal background, the Electronic Communications Privacy Act (“ECPA”), enacted in 1986, is comprised of two statutes: the Wiretap Act and the Stored Communications Act. Historically, most litigation arising under the ECPA has involved the Wiretap Act, that is, where there are “interceptions” of wire, audio or aural communications (for example, listening to an employee’s phone call).
However, with the social media revolution, the Stored Communications Act (“SCA”) now is coming into play. Generally speaking, in the employment context, the SCA makes it unlawful for an employer to have unauthorized access to an employee’s private social media sites.
More than a dozen states now prohibit employers from asking applicants or employees for their passwords to their private social media sites. However, the SCA, which applies to employers in all 50 states and which comes with civil and criminal penalties, may go even further.
Ehling v Monmouth Ocean Hospital Service (D.N.J. 2013) is one of the first cases to focus on the application of the SCA to Facebook. The facts of the case can be summarized succinctly. The plaintiff-employee had a Facebook account. The plaintiff friended a coworker. The coworker, on his own initiative, provided management with copies of postings made by the plaintiff.
The plaintiff argued that the employer violated the Stored Communications Act. The court held that the SCA applied. However, the court also held that an exception to the general prohibition under the SCA on accessing stored communications also applied.
As the court noted, very few courts have addressed whether the SCA applies to Facebook wall posts. There is no legislative history with regard to the intended application of the SCA to social media for a simple reason: the SCA was enacted before the advent of social media.
However, the legislative history does provide some guidance. As the court noted: “The legislative history of the [SCA] suggests that Congress wanted to protect electronic communications that are configured to be private.”
The SCA provides that whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided . . . shall be liable for damages” under the SCA. The SCA also provides for damages where an individual exceeds the authorization provided to him or her to access a facility.
For the SCA to apply, four (4) requirements must exist: (1) there is an electronic communication; (2) that was transmitted by an electronic communication service; (3) the communication is in electronic storage; and (4) it is not public. The court noted that Facebook wall posts that are configured to be private meet all four (4) criteria.
More specifically, the court held: (1) Facebook wall posts are electronic communications; (2) Facebook wall posts are transmitted by an electronic communication service; (3) Facebook wall posts are in electronic storage; and (4) Facebook wall posts that are configured to be private are, by definition, not accessible to the general public.
After concluding that accessing an employee’s Facebook page is covered by the SCA, the court then dealt with whether there was an exception that would make the employer’s conduct in this case lawful. The court focused on the exception which provides that the SCA “does not apply with respect to conduct authorized . . . by a user of that service with respect to a communication of or intended for that user.”
The authorized user exception applies where: (1) access to the communication was authorized; (2) by a user of that service; and (3) with respect to a communication intended for that user. The court goes on to define access as not being authorized if the authorization was coerced or provided under pressure.
In this case, the court concluded that all three (3) requirements were met. The first requirement, however, is the one which is most significant for employers; that is, whether the employer’s access to the employee’s Facebook wall posts was authorized. In other words, did the co-worker who was friended by the plaintiff provide the information to management without any coercion or pressure?
In this case, the co-worker testified that he voluntarily provided the information to management. Management also testified that it received the information without soliciting it in any way. Under these circumstances, it was an easy call for the court to find that the access was authorized.
However, not all cases are quite so simple. Sometimes employees will tell management about an offensive posting, for example, racial, ethnic or religious harassment, but not provide a copy of the posting itself. In these circumstances, what is management to do?
There are a continuum of options available to an employer, each with corresponding risk. The seriousness of the legal risk associated with the alleged postings may inform, in part, the level of risk the employer is willing to take under the SCA.
The most direct response would be: “Please provide me with a copy of the posting about which you speak.” No matter how politely that is stated, because of the inherent power differential, a court could find that a mere request is coercive.
Slightly less direct: “It would be helpful for you to provide us with a copy of the posting to which you referred. Please understand that there will be no adverse action taken against you, regardless of whether you decide to provide us with a copy of the posting.”
Even more gentle: We thank you for the information but cannot investigate or take corrective action without seeing it.
Which option, or variation of it, makes most sense turns at least in part, as noted above, on what is at issue. Consider the following examples.
On the one hand, if the posting includes stupid, but not illegal material, then there is no reason to take any risk under the SCA. On the other hand, if the posting could expose the employer to legal liability, for example, the allegation being that the employee has posted racist rants, PHI under HIPAA, or inside information under the SEC, then the employer must balance its risks under statutes regarding the preceding against the risk under the SCA.
When all is said and done, there are a few things that are clear:
One: An employer should never ask an applicant or employee for his or her private password. This is true in all states, even if there is no specific state law.
Two: Where an employee voluntarily provides an employer with a posting, the employer should document the voluntariness with which it was provided. That is, the employer should document that it did not request the posting, but rather an individual provided it to the employer on his or her own initiative.
Three: Where an employee raises a concern about a posting, but does not provide a copy of the posting itself, if legal issues are potentially implicated, the employer should formulate a request for the posting to maximize the likelihood that the employee will share the posting and also minimize the risk that a court find will find there to have been threats or pressure.
No doubt that any request by an employer exposes the employer to some risk. But not requesting the posting also may expose the employer to some risk. It is risk management, not risk avoidance.