Recent Wisdom from the NLRB

As NLRB Chairman Mark G. Pearce recently stated, “Many view social media as the new water cooler.”1 In a series of recent rulings and advisories, the NLRB is now requiring employers to rewrite their social media policies after finding many policies to be overbroad. For instance, a social media policy that says don’t disparage managers, co-workers or the company itself, and violations can result in discipline up to and including termination, has been held illegal by the NLRB since employees have a right to discuss work conditions freely and without fear of retribution - whether the discussion takes place in the office or on social media sites.2

A recent NLRB Advice Memo addresses some of the questions surrounding social media issues affecting the workplace. The Advice Memo explained that portions of Giant Food LLC’s (“ the Company”) social media policy3 including prohibitions against disclosing confidential/nonpublic information, using Giant’s logo, trademark or graphics, and photographing or video recording Giant’s offices, were unlawful because those prohibitions could reasonably be construed to restrict employees’ Section 74 rights under the National Labor Relations Act (“NLRA”).5

The NLRB Advice Memo found that the language used in Giant’s policy was overbroad and concluded that specific, clarifying language was necessary to ensure that employees’ Section 7 rights were not unlawfully limited.

The Advice Memo further explained that the confidentiality requirement did not clearly explain what the Company held to be “nonpublic” and “confidential information,” to the point employees could conclude that they were prohibited from disclosing or sharing information about working conditions. Likewise, the Advice Memo concluded that the Company’s prohibition of taking photographs and videos was not clearly drafted and might dissuade employees from using social media to communicate and share information regarding their Section 7 activities through pictures and videos. Although the Advice Memo acknowledged the Company’s right to protect its logo and trademark, the prohibition of the use of those materials was viewed as too broad and possibly interfered with employees’ rights under Section 7 such as picketing to protest working conditions.

The Advice Memo upheld the Company’s rules concerned with defaming or discrediting the Company’s goods and services since those limitations are not protected under Section 7. The Company’s “speak-up” provision was upheld as it did not threaten any punishment, discipline or restrict employees’ speech. The Advice Memo also noted that the standard disclaimer was insufficient to overcome overbroad, ambiguous language of the Company’s Policy. The Advice Memo concluded that once the Policy was rewritten and the sections held unlawful were removed, employees could not reasonably construe that the Policy interfered with any Section 7 protected activity.

When drafting social media policies, it is essential for employers to be careful that the language contained in the policy is both clear in scope and application, and that the policy is precise as to what activity is prohibited to ensure that the policy is not overly broad. Careful drafting will help employers avoid the pitfall of enacting policies that encompass protected activities or that might be interpreted as “chilling” protected behavior.

State Law Developments

Meanwhile, many state legislatures are actively constructing a fabric of laws that will prohibit employers from asking for access to social media accounts of job applicants and employees.

Eleven states have enacted laws that prohibit employer access to applicant and employee personal password and protected accounts. Those states, as of this date include, Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Oregon, Utah and Washington.6

  • Each state law prohibits employers from seeking applicants’ social media login information.
  • Each state law enacted, except New Mexico, prohibits employers from seeking current employees’ social media login information.

Password Protected Accounts

In Pietrylo v. Hillstone Restaurant Group7, two employees created a password protected MySpace page to air their grievances against their employer and invited other employees - but not managers - to join. One of the managers learned of the site, which contained profane content, when one of the invited employees showed him a posting from the site. That manager shared the information with another manager, then both managers twice requested the employee's log-in ID and password to the site. Eventually, the employee provided the information to the managers. After logging into and reviewing the site a few times, the managers fired the site's creators for damaging employee morale and violating the restaurant's "core values."

The central issue at trial was whether the employee who provided her log-in credentials was coerced, permitting the managers access to the site. The employee testified that she felt pressured to give the managers her password and that she would have gotten into trouble had she not done so. There was no documentary evidence that she willingly authorized the managers to enter the site. In light of the employee's testimony, the court found the jury’s original conclusion that the managers were not authorized to enter the site was correct and refused to toss out their verdict.

Shoulder Surfing, Privacy and the Stored Communications Act

California, Illinois, Michigan, New Jersey and Washington prohibit “shoulder surfing” or standing over an employee’s shoulder and reading their social media content or otherwise accessing employee social media sites without login information. Arkansas and Colorado’s laws do not specifically prohibit employers from shoulder surfing but do prohibit employers from requiring employees to change their privacy settings to allow public access to their accounts or requiring that employees “friend” other employees so that accounts can be monitored. Maryland also does not prohibit shoulder surfing.8

A recent suit by a New Jersey nurse may shed some light on this area of the law. In this case, the plaintiff, a registered nurse and paramedic for Monmouth Ocean Hospital Service Corp9 (“Monmouth”), claimed that Monmouth engaged in a pattern of retaliatory conduct against her based on her activities and statements on Facebook. In 2009, a hospital supervisor gained access to the plaintiff’s Facebook account by coercing a fellow coworker, who was the plaintiff’s Facebook friend, to access the plaintiff’s Facebook page in the employer’s presence. The employer viewed and copied several of the plaintiff’s postings. One such posting referenced an incident where a white supremacist opened fire at the Holocaust Museum in Washington, D.C. The plaintiff commented on Facebook ridiculing the D.C. paramedic’s response to the shooting. As a result, Monmouth sent letters to the New Jersey Board of Nursing claiming the plaintiff showed a blatant disregard for patient safety and argued that the plaintiff should lose her nursing license. In response to these claims, the plaintiff brought a variety of claims against Monmouth including a violation of New Jersey’s wiretapping statute, a Stored Communications Act (SCA) violation and an invasion of privacy.

The first claim against Monmouth was brought under New Jersey’s wiretapping statute. This statute has been construed to cover only messages that are in the course of transmission or a backup to that transmission. According to the court, the statute does not cover communications that have been received and are in post-transmission storage such as a Facebook post. As result, the wiretapping claim was not able to survive a motion to dismiss on this particular claim.

The second claim brought against Monmouth was based on the SCA, which provides a civil right of action for any damages incurred through the intentional access of electronic communication without authorization. Facebook posts may fall under the SCA - depending on an individual’s privacy settings. Several cases have allowed SCA claims where an employer gains access to privacy protected employee pages. However, those cases are somewhat distinguishable on the basis that the employers obtained the credentials themselves and repeatedly accessed the sites or pages in question.

The final claim brought was based on an invasion of privacy. Under New Jersey law, to succeed on this type of claim, the plaintiff must show that: (1) Monmouth intruded on her solitude, seclusion or private affairs, and (2) the intrusion would be highly offensive to a reasonable person. On one end of the spectrum, the plaintiff should have no expectation of privacy for material posted to an unprotected site that is accessible by anyone. On the other end of the spectrum, courts have recognized an expectation of privacy for password-protected on-line communications. There is merit to the view that disclosure to a small group shouldn’t undermine privacy rights in personal communications. The court recognized in Moreno v. Hanford Sentinel, the claim of a right of privacy is not "so much one of total secrecy as it is of the right to define one's circle of intimacy." Moreno involved a MySpace post which was made generally available on the internet, which distinguishes it from the post in this case which was ostensibly limited to plaintiff's Facebook friends.

Social Media and Employer Investigations

Some states laws provide for exceptions as to the use of social media for employer investigations including Arkansas, California, Colorado, Utah and Washington, although the scope of the exceptions vary from state to state. For instance, in California employers are permitted to ask an employee to divulge personal social media content that the employee “reasonably believes to be relevant to an investigation of employee misconduct or employee violation of applicable laws and regulations.”10 Colorado and Maryland have similar narrowly tailored laws for workplace investigations. The Colorado exception permits employers to conduct an investigation to ensure compliance with “securities or financial law or regulatory requirements,” where prompted by information that (a) the employee is using the account for business purposes, and (b) where the employer receives information that the employee has engaged in “unauthorized downloading” of an employer’s proprietary information or financial data. Although the bill does not say so expressly, it appears to contemplate that the employer can request an employee’s log-in credentials in these limited circumstances.
Implications for Employers

State laws are attempting to address how employees and employers deal with social media but the result is a “patchwork” of requirements and exemptions that can cause confusion - especially for multijurisdictional employers trying to have an across the board policy and practice. In this ever evolving landscape of social media law, it is crucial for employers to remain up-to-date on state, federal and regulatory laws and rules governing social media in the workplace and consult with legal counsel when reviewing, revising, conducting investigations and enforcing social media policies.