By John P. Quirke
Courts are struggling to apply decades-old privacy and electronic security laws to employment issues arising in the digital arena. The newest challenges involve social media and what companies can do.
Two employees of a large pizza delivery chain had some downtime, so they decided to create a spoof “behind the scenes” video of how sandwiches were prepared for delivery. The employees did some rather unsanitary things to the ingredients as part of the gag.
In the past, the employees might have shown the video to a few friends on their VCR and had a laugh. The entire incident would have been forgotten within a week. In the Internet age, however, matters often take a different turn. The employees decided to post their video to YouTube, and it went viral—viewed by more than a million people within a few days. The company ended up with a major public relations nightmare on its hands, and the two bored employees ended up in jail on a variety of food safety-related charges.
As companies wake up to the incredible marketing power of social media, they are also running headlong into a variety of legal concerns related to just how much power they have—or don’t have—over what their employees post on social media sites. In the pizza video case, the company had the right to protect its reputation and to hold the employees legally responsible. YouTube is an open access site and the video was accessible to the public. But what if the employees had posted the video to a site accessible only by permission, such as Facebook? What legal rights, if any, would the pizza company have had to access the restricted site?
And that’s just one of the issues companies must wrestle with in the Internet age. Compared to the speed of the Internet, the law is moving at a snail’s pace. Courts are struggling to apply decades-old privacy and electronic security laws to the issues arising in the digital arena. Among the concerns are privacy, discrimination, and the right of employees to discuss the terms and conditions of their employment. It all adds up to a legal minefield that companies must tread through carefully.
The newest challenges in the digital world involve social media. The term social media can refer to any number of Internet-based applications used for interactive communication among users, such as YouTube, blogs, or Facebook.
Social media applications allow users to post content—such as text, video, and music—and then invite comment. Unlike static Web pages, social media sites are in a constant state of flux, as more and more comments shape the discussion. This makes it far more difficult to monitor content for libelous or other concerning material, assuming that a company had a right to read it at all.
On the plus side, companies can benefit from social media if they learn how to harness the marketing opportunities. One positive review about a restaurant, for example, can mushroom as friends of the commenter ask for details, share with other friends, and so on.
But negative news, valid or not, spreads just as quickly, as the pizza delivery company found out. Additionally, once information is posted on a social media site, it is virtually impossible to retrieve. So, for example, if a disgruntled employee posts negative comments about an employer, the company might be in a position to take action against the employee, but the negative commentary will live on forever as it is passed around the social media universe.
Companies should not assume that they can take immediate action against employees who post negative comments about them on social media sites. The courts will weigh many factors to assess corporate rights in each case.
The federal Stored Communications Act of 1986 and similar state laws protect electronic records that are in storage rather than in transit. Though the act predates social media by almost two decades, courts still look to it for guidance. Courts have ruled that messages stored on a person’s social media site that are not readily accessible to the public at large are in storage and, therefore, subject to certain privacy protections—including the right to safeguard the messages from compelled disclosure to an employer.
For example, in Pietrylo v. Hillstone Restaurant Group (U.S. District Court for the District of New Jersey, 2008) a restaurant employee created a forum on MySpace and invited several employees to join. The forum, accessible only to the invited employees, became a place where the employees could complain about their work. They also discussed several managers in an unflattering light.
One of the restaurant’s managers heard about the site and asked one of the forum members for her password so that he could review the comments. The employee gave the manager her password. After management reviewed the forum, the company disciplined the employee who had created it. In response, the employee sued under the state analog to the Stored Communications Act. After a trial, a jury ruled that the manager had coerced the password from the employee. His access to the site, therefore, constituted an illegal access to the material. A federal court later upheld the decision.
The National Labor Relations Board (NLRB) has also entered the social media fray. Though the NLRB typically addresses union organizing issues, its rulings apply to all employees, unionized or not, to the extent that the rulings relate to the right of all workers to engage in “concerted protected activity.” Such activity is defined as interaction with other employees designed to bring about a change in working conditions. Importantly, concerted protected activity is not limited to conduct that occurs at work. Social media interactions can, therefore, fall within this definition. Thus, unionized or not, employers unhappy with employee social media comments regarding work must carefully analyze the nature of the posting before taking corrective action.
In August 2011, the NLRB issued a report on recent cases that involved social media issues. The report can serve as guidance to employers on whether employee activity constitutes protected activity.
The report cites a 2011 case in which a social assistance agency fired several of its employees after they used a social media site to openly criticize the agency and how it was delivering services to the public. In the case (Hispanics United of Buffalo v. Ortiz, NLRB, 2011), the NLRB ruled that the employees’ comments on the social media site, although disparaging of the agency, were concerted protected activity. The agency’s termination of the employees was, therefore, illegal retaliation. The NLRB ordered that the agency reinstate the employees.
In another example, the report notes the case of an employee at a car dealership who posted photographs and negative comments to his Facebook page. The employee complained about the food and drink served at a sales event hosted by the dealership. The employee said the event was unprofessional and would negatively affect sales. The employee was fired when the dealership became aware of the postings. The NLRB ruled that the employee was protected because he noted that several other employees were also concerned and that all of their commissions would be adversely affected by the sales event. All of these issues were clearly related to the terms and conditions of employment and, therefore, constituted a protected activity.
The NLRB report also gives examples of how employee postings aren’t always protected. In one case, the NLRB found that an employee who posted offensive tweets was not engaged in protected concerted activity. The employee, who worked as a newspaper reporter, had a Twitter account assigned by his employer. The reporter first tweeted criticisms of the newspaper’s copy editors. However, there was no evidence that the reporter first discussed the issue with any coworkers at the newspaper. The employee was given an official warning, but he ignored it and used his Twitter account to post about a number of issues unrelated to the purpose of the account, including his criticism of a local television station. The employee was fired. The NLRB found that the employee’s termination did not violate the law, because he was fired for misconduct and inappropriate behavior, and his actions were not protected activity.
Companies must also tread carefully when deciding to use the Internet as a source of information in making employment decisions. Part of the problem is that employers may end up seeing information that they would legally not be allowed to ask for in an employment application. For example, employers may not base their employment decisions on discriminatory information such as an applicant’s race, sex, religion, or national origin. However, this information may be on a person’s Internet page. Or other information may surface in a person’s writings posted online. Once an employer learns this information, it is difficult to prove that an unbiased hiring decision occurred.
For example, in a recent case (Gaskell v. University of Kentucky, U.S. District Court for the Eastern District of Kentucky, 2010), the University of Kentucky was reviewing applicants for directorship of its MacAdam Observatory. An Internet search revealed that one of the lead candidates had published an article advocating creationism. Once the selection committee learned of this fact, dissent emerged over whether the applicant’s views on religion and science should prevent his selection. The applicant was not chosen, and he sued the university for religious discrimination. The case was settled out of court earlier this year. The university paid the applicant $125,000.
To maximize their own legal rights, companies must be proactive in setting clear policies regarding the Internet, including employee use of social media. By setting clear guidelines, companies can protect their own interests and give employees a much-needed roadmap for appropriate conduct.
Develop a plan. Companies must clearly communicate the appropriate venues for discussing workplace issues and then make sure that employee concerns are addressed. Just prohibiting workplace discussions on social media may not protect companies from NLRB actions.
Write a policy. If the company takes a neutral or positive stance regarding employee use of social media to discuss work, it must develop a policy to guide that use. Companies should not assume that employees know that they should not post confidential information or that they know to keep their posts strictly factual. By spelling out the rules in clear and concise language, companies can ensure that employees understand what is expected of them. The policy should make it clear to employees that they are company representatives and that they need to act appropriately in the virtual world—just as they would be expected to do at a corporate function.
Employers must be careful to define terms and provide examples to ensure that the policy is clear. Failing to do so can result in litigation. For example, the NLRB report discusses a case in which a nurse put a post on Facebook complaining about a colleague who frequently called in sick, creating extra work for the rest of the staff. The nurse was fired because she had “talked badly about the hospital” in violation of the hospital’s social media policy. The NLRB said that the policy in this case was too broad and provided no guidance as to what sort of social media discussions would and would not be appropriate.
In another case, however, the NLRB found that a company’s social media policy had the right to prohibit employees from communicating with media outlets and to require that they refer all requests to the company’s communications team. The policy, ruled the NLRB, was clearly designed and communicated to ensure that the company responded to the media with a unified message.
Educate employees. As with e-mail, social media can be used effectively in the business setting. But employers should not assume that employees know all the pitfalls. The specifics of what is and is not appropriate should be reinforced through periodic training that focuses on particular aspects of the social media landscape.
Stress confidentiality. In addition to a social media policy, companies must incorporate references to social media into their confidentiality policies and other communications. Employees must be reminded to be hyper-vigilant regarding the information they post and ensure that the information is already in the public domain—or, at a minimum, not considered confidential or sensitive by the company.
Respect privacy. The company policies with regard to the use of Internet information in investigations should follow the law. There is no violation of the Stored Communications Act, nor are there privacy concerns, when investigations are performed with information available to the public. Therefore, if an employee’s privacy settings allow open access to material, the company can review it without issue. But if the material is password protected or is viewable by invitation only, then employers must respect those boundaries. Company representatives should carefully document how they access such information and ensure that any access is freely given. If the representative cannot access the information in question without exerting some level of pressure on an employee, the company should abandon that course of action.
By understanding the legal challenges posed by social media and then developing a policy to address them, companies can reap the benefits of new technology while minimizing potential problems.
John P. Quirke is a partner with Archer and Greiner, PC, in New Jersey. He concentrates exclusively on management-side employment law.
illustration by carrotcreative