June 04, 2012
Accessing an Employee's Facebook Posts by "Shoulder Surfing" a Coworker's Page States Privacy Claim -- Ehling v. Monmouth Ocean Hosp.
[Post by Venkat Balasubramani]
Ehling v. Monmouth Ocean Hospital Service Cop., 11-cv-3305 (WJM) (D.N.J.; May 30, 2012)
The extent to which employers demand social media credentials of their current and prospective employees is unclear, but employers do get in trouble for snooping on the social media activities of their employees on occasion. Pietrylo v. Hillstone Restaurant Group is one early example, but there are others. (Maryland was first out of the gate, but several other states have passed or are currently considering legislation that would broadly prohibit the practice of asking for employee social networking passwords; we’ll address those in a separate post.)
The facts here are relatively straightforward. Ehling is a registered nurse and a paramedic who worked for Monmouth Ocean Hospital Service Corp., a non-profit hospital corporation. Ehling was in union leadership and alleged that Monmouth engaged in a pattern of retaliatory conduct against her based on her activities and statements. Ehling apparently maintained a Facebook account and was careful not to friend Monmouth management, although she was friends with many of her coworkers.
In 2009, Ehling posted comments in response to an incident where a white supremacist opened fire at the Holocaust Museum in Washington, D.C.:
The 88 yr old was shot, He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference. WTF!!! And to the other guards….go to target practice.
Monmouth management did not have access to Ehling’s Facebook post but asked another Monmouth employee to pull up Ehling’s profile and posts while “in [a] supervisor’s presence.” As a result of this and other allegedly retaliatory action taken by Monmouth, Ehling brought a variety of claims against Monmouth. Monmouth moved to dismiss two counts: (1) the claim under New Jersey’s wiretapping and eavesdropping statute and (2) one for invasion of privacy.
New Jersey Wiretapping Statute: The court dismisses the claim under the New Jersey statute. New Jersey courts have construed the definition of “electronic storage” to cover only those messages that are “in the course of transmission or are backup to that course of transmission.” According to the court, case law interprets the statute to not cover communications that have been received and are in “post-transmission storage.” Since the posts were not intercepted while "in transmission," access of Ehling's post failed to state a claim under the statute.
Invasion of Privacy: The viability of the invasion of privacy claim turned on the familiar issue of whether Ehling had a “reasonable expectation of privacy” in her Facebook posts. Under New Jersey law, this required her to show that: (1) Monmouth intruded on her solitude, seclusion or private affairs and (2) the intrusion would be highly offensive to a reasonable person. The court says that privacy for social networking posts is an “emerging, but underdeveloped” area of the law. Viewing the spectrum of cases, the court says that on one end of the spectrum, there is clearly no expectation of privacy in material posted to an unprotected site that’s accessible by anyone. On the other end of the spectrum, courts have recognized an expectation of privacy for password-protected on-line communications. (Citing, among other cases, Pure Power Boot Camp v. Warrior Fitness Boot Camp). There is no consistent approach with respect to communications falling in between—i.e., where someone makes statements to a “limited group” of people, such as their Facebook friends. These cases should be resolved on a case-by-case basis and the court concludes that plaintiff states a plausible claim for invasion of privacy.
Ehling brought a claim under the Stored Communications Act but Monmouth did not move to dismiss this claim. It’s not clear whether accessing the Facebook post “over the shoulder” of Ehling’s co-worker constitutes unauthorized access under the SCA, but I would have guessed the court would have declined to resolve this issue at the motion to dismiss stage anyway.
Although it's unclear whether the Stored Communications Act covers Facebook posts, one early case in the discovery context--Crispin v. Audigier--said yes. In Crispin, the court said that Facebook posts may fall under the SCA, but this depended on the privacy settings in question. A couple of other cases have allowed SCA claims where an employer gains access to a privacy protected employee pages: (1) Pietrylo v. Hillstone Restaurant Group (MySpace page) and (2) Konop v. Hawaiian Airlines (private bulletin board). Both of these cases are somewhat distinguishable on the basis that in these cases, the employers obtained the credentials themselves and repeatedly accessed the sites or pages in question. (Accessing a communication that in storage requires the plaintiff to show that the employer "accessed a facility through which an electronic communication service is provided.") To my knowledge, there have been no rulings squarely addressing the practice of "shoulder surfing," an issue that will come up in the employment context, as well as in the context of school administration. To the extent the password laws aim to fill gaps in privacy protection, they should address this practice.
Setting the SCA statutory quagmire aside, there's also the issue of damages. Were this a run of the mill privacy lawsuit, Ehling would not necessarily stand a good chance of winning significant damages. It's not clear that the result should change just because the party who obtained access to the post happened to be Ehling's employer. (See for example Pure Power Boot Camp where the court awarded nominal damages for similar violations.) Interestingly, in Pietrylo, which was cited by the court on the privacy issue, the court allowed the Stored Communications Act, privacy claims, and claims under the New Jersey wiretapping statute to go forward. The jury returned a mixed verdict, but awarded a nominal amount of damages. (Check out the CMLP page on the case here.)
The court’s finding that access of the Facebook post may support an invasion of privacy claim is noteworthy, and adds to the small body of law dealing with invasion of privacy claims based on access to quasi-public posts. On the one hand, there is merit to the view that disclosure to a small group shouldn’t undermine privacy rights in personal communications. As the court recognized in Moreno v. Hanford Sentinel, the claim of a right of privacy is not "so much one of total secrecy as it is of the right to define one's circle of intimacy." Moreno involved a MySpace post which was made generally available on the internet, which distinguishes it from the post in this case which was ostensibly limited to Ehling's Facebook friends. On the other hand, you have to wonder how “private” users expect their communications to remain when they post to Facebook. Regardless of the privacy settings, which may restrict immediate availability of the post to a limited group of Facebook friends, a rant--such as the one at issue in this case--doesn’t seem like something that anyone would post online and necessarily expect to remain available only to a discrete or small group. (The number of Facebook friends she had will end up being relevant to the determination of whether the post should be accorded any privacy protection.)
A final point is that Ehling’s Facebook posts (it doesn’t seem like they were the one that was at issue in this case) were the subject of an NLRB memorandum [pdf]. The Office of the General Counsel recommended that the complaint should largely be dismissed. Lurking in the background of this case is whether the employer's actions chill the exercise of the employee's advocacy rights. The NLRB released yet another memorandum on employer social media policies, focusing on when policies allow insufficient breathing room for employee advocacy. See: "After NLRB’s Memo, Drafting Employment Policies Got Trickier."
A cautionary note to employers (and other administrators): while this order did not squarely address the issue of "shoulder surfing" under the Stored Communications Act, it does reaffirm that employees can bring invasion of privacy claims based on unauthorized access to non-public posts.
Republishing MySpace Post in Local Paper Might Be Intentional Infliction of Emotional Distress--Moreno v. Hanford Sentinel
Ex-Employees Awarded $4,000 for Email Snooping by Employer -- Pure Power Boot Camp v. Warrior Fitness Boot Camp
Employee's Claims Against Employer for Unauthorized Use of Social Media Accounts Move Forward--Maremont v. SF Design Group
Ex-Employee Converted Social Media/Website Passwords by Keeping Them From Her Employer--Ardis Health v. Nankivell
Posted by Venkat at June 4, 2012 09:00 AM | Privacy/Security