Employer Who Takes Over Employee’s Social Media Accounts May Commit Privacy Violation–Maremont v Susan Fredman Design
We’ve blogged about the dispute between Maremont and Susan Fredman Design Group before. Maremont was employed as SFDG’s social media consultant, and when she was injured in a severe accident, SFDG allegedly continued to access (1) a Twitter account registered to Maremont’s name but allegedly used to the benefit of SFDG, and (2) a personal Facebook account that had administrative privileges to SFDG’s business account. The lawsuit was previously whittled down; this time around, the court gets rid of the Lanham Act claim, but sends the Stored Communications Act claim to trial.
Lanham Act Claim: The court dismisses Maremont’s Lanham Act claim based on fatal deficiencies in Maremont’s damages allegations. During her deposition, she admitted that she did not suffer any commercial injury; her qualms were purely emotional. She belatedly asserted a claim based on lost sales generated by SFDG through posts made to the Twitter and Facebook accounts in question, but the court says her belated disclosure precludes these claims.
Interestingly, although the court has an easy basis to dismiss the Lanham Act claim, the court revisits SFDG’s argument that Maremont lacks standing. In the process of rejecting this argument, the court notes that Maremont’s Twitter and Facebook following is a “marketable commercial interest,” and SFDG’s alleged exploitation of this interest is sufficient to create standing under the Lanham Act. (The court distinguishes two interesting Lanham Act standing cases that we’ve covered on the blog: Stayart and Nieman v. Versuslaw.)
The court also rejects SFDG’s argument that because the Twitter account was always associated with SFDG, any continuing association between the account and SFDG could not result in anyone being “misled” as to the origin of the Twitter posts. Because the nature of the account is disputed and cannot be ascertained beyond dispute, the court says that posts that came from SFDG but looked like they were from Maremont could result in a Lanham Act violation. The court points to the fact that defendants (1) did not change the Twitter handle and (2) “even used the first person in one Tweet” (to make it look like it Maremont was posting). [I’m not sure what to make of this conclusion and how to square it with the undisputed fact that the SFDG explained in a blog post—linked to the Twitter account—that Maremont was injured and her replacement would be taking over on a temporary basis.]
SCA Claim: The SCA claim requires someone to engage in unauthorized access to a facility through which electronic communications services are provided (or by exceeding authorization) and in the process “obtaining, altering, or preventing authorized access to” a communication that’s in “storage”. Defendants argued that there was no evidence that they accessed any communications, but the court glosses over this and says that given the undisputed fact that defendants posted to the accounts, and given that there is a dispute over ownership to the accounts, Maremont could state an SCA claim.
Defendants also argued that Maremont’s claim should be dismissed because she failed to adduce any evidence of actual damages, that no matter how minimal, are required for an award of statutory damages. The court initially cited to Van Alstyne and agreed with defendants on this issue, but this time around reconsiders and says that under the SCA a plaintiff is not required to show actual damages in order to be entitled to statutory damages. In any event, the court says that (1) her allegations of emotional distress suffice, despite not being supported by expert testimony, and (2) even under Van Alstyne, actual damages are not necessary to recover costs, fees, or punitive damages.
No IL Worker’s Comp Preemption: Defendants also argued that the claims in question were preempted by the Illinois worker’s comp statute, but the court says that defendants waived this defense by not raising it initially.
If you are an employer, you probably have some instinct that you should not access your employee’s personal social media accounts. But if your employee provided you a spreadsheet with password information to certain accounts along with tracking information related to social media campaigns conducted on behalf of the company through those accounts, would you think that by using these passwords you would be hit with possible violations of a federal statute that had criminal consequences? Unfortunately, that’s the road this lawsuit went down.
To say that this is a trademark lawsuit—and a dubious one at that—dressed up in privacy clothing is an understatement. The court dismisses the trademark claim, as it should have, but crazily, the privacy claim moves forward. SFDG is facing the prospect of an expensive trial for using passwords that there is little dispute were provided to SFDG while being fully transparent about any content that was posted to those accounts. Let’s not kid ourselves. Maremont does not care at all about who accessed her Twitter direct messages or her Facebook messages. If she had any qualms about this, she would certainly have highlighted any sensitive messages she believed SFDG accessed, and any fallout from SFDG’s alleged access of those messages. Instead, the court concludes that SFDG’s mere access of the accounts was sufficient to violate Maremont’s rights under the SCA. One could read the statute to require not just access of the account, but access of electronic communications that are in “storage”. Another way to violate the statute is to prevent the authorized account-holder’s access to the facility (account). But Maremont presented no evidence of either occurrence, and the court doesn’t discuss why mere access of the account is sufficient from an evidentiary and statutory standpoint to state a violation.
We’ve both blogged about social media password legislation and how it’s a clunky solution at best to a problem that may not even exist. One of the big issues posed by such legislative proposals is that the facts are often unclear as to whether an account is used for business or personal (or mixed) reasons, and the statutes don’t do anything to help untangle this dispute. This ruling is a good illustration of how an extremely tenuous argument about putative ownership of or the intent surrounding an account will be sufficient to muddy the ownership waters, and keep an employer on the hook. Here, there was no dispute that both accounts were used to promote the business, and Maremont allegedly stored the passwords on her work computer that was presumably accessible by SFDG. When Maremont returned to work at SFDG for a short period (before she stopped due to medical reasons) she “thanked her temporary replacements . . . for their posts on the blog in her absence.” Heck, as to one of the disputed Facebook posts, Maremont’s husband acknowledged that he authored one of them, betraying that he also had access to Maremont’s Facebook account. (Just because she shared the password with her spouse—which is probably something to avoid—doesn’t mean any third party could freely access the account, but still, the fact that he had access was telling about what protective measures Maremont took.) SFDG’s explanation for its access of Maremont’s personal Facebook account was also pretty reasonable. Unfortunately, Facebook requires a business account to be linked to a personal account, and there was a dispute over whether only Maremont had administrative access or whether she had given access to others. I would have expected the facts to have been more fully developed on this (and other) points, but it’s certainly an understandable mistake to make from the employer perspective.
For what it’s worth, Illinois now has social media password legislation (820 ILCS 55), but its definition of what is a professional account (an account maintained “for business purposes of the employer”) versus what is a personal account (one that is maintained “exclusively for personal communications unrelated to any business purposes of the employer”) either doesn’t resolve the question very easily, or points in the direction of SFDG’s access being proper. (Question as to whether this legislation may be preempted by the SCA.)
Ultimately, I think clarity in the form of clear guidelines or better yet a written agreement delineating which accounts are employer-accounts and should therefore be controlled by the employer is most advisable. In the meantime, expect more messy lawsuits that while weak on damages state enough of a technical violation to cause problems for employers.
Blech. This judge was clearly overwhelmed by the technical aspects of the case. The result is crummy for everyone.
False Endorsement. The poor drafting in the Lanham Act creates plenty of incoherency, and the “false endorsement” doctrine is at or near the top of my list of incoherent Lanham Act doctrines. Although the employer defeated this claim, the court’s discussion is Bad News for employers. All of the claim elements pointed in favor of Maremont, or at least raised triable issues, except for the damages piece. I imagine future litigants will root around for additional purported damages to overcome that element. Seeing some of the crazy Internet lawsuits that have already tried to make hay from “false endorsement” (e.g., Stayart), I imagine we’ll see those with renewed vigor. Yay. And how many times have we seen a troublemaker take another person’s social media accounts for a joyride? Let’s make those a federal case as well.
Business v. Personal Accounts. As Venkat points out, most of the states enacting employee social media privacy laws are creating future fights over whether the account was personal, corporate or both. The fact that most of those laws don’t resolve the known border cases already percolating through the courts just reinforces what a bad job those bill drafters have done. I’ll have more to say about this soon.
In this case, the court goes out of its way to explain, twice, that Maremont’s compensation was tied to revenue she could pump up through her social media activity. That, combined with the fact she left a roadmap to her social media accounts at the office, seems to make it entirely clear that she was operating those social media accounts were at least partially for the business.
Let’s try it a different way (revisiting the issue dodged in PhoneDog v. Kravitz case). Who owned the copyright to Maremont’s social media posts? It seems highly likely that her employer did, at least those published with the goal of pumping up the company’s revenues. If so, doesn’t the employer have the right to manage those business assets?
Lessons for the future. Normally we advise employers to get the login credentials of the social media accounts set up by employees. Here, the employer did that; but now, under the new laws sweeping the nation, even making that request could be independently actionable. This case further tells us that just having the login credentials isn’t enough, because using them could be an SCA violation. So perhaps the new protocol goes something like this:
Step 1: get employees to agree in writing which social media accounts are business accounts
Step 2: get login credentials for the accounts.
You can’t reverse the order of the steps because otherwise you run the risk that the login credential request violates the state law. And notice the legal trap for the *employee*: if an employer follows this protocol, any employee accessing one of the designated accounts post-termination will be committing a long list of federal and state legal violations. Employment lawyers trying to hassle former employees surely would love that. Let the post-employment litigation fiestas over social media login credentials begin!
Case Citation: Maremont v. Susan Fredman Design Group, Ltd., 2014 WL 812401 (N.D. Ill. March 3, 2014).