Employee’s Privacy Claim Based on Allegedly Improper Access to Facebook Post Fails — Ehling v. Monmouth-Ocean Hosp.
[Post by Venkat Balasubramani]
Ehling v. Monmouth-Ocean Hosp. Service Corp., 2013 WL 4436539 (D.N.J. Aug. 20, 2013).
We previously blogged about a case where the court declined to dismiss claims brought against an employer for accessing one employee’s Facebook posts through another employee (a practice known as “shoulder surfing”). On summary judgment, her claim is tossed. (For another case that raises similar allegations, See “University May Be Liable for Improper Access to Student’s Facebook Photos – Rodriguez v. Widener Univ.“)
Ehling worked for Monmouth-Ocean Hospital Service Corp., originally as a nurse and paramedic, but later in a more administrative role. She had some 200 Facebook friends, and posted the following comment to her wall:
An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards….go to target practice.
This post resulted in disciplinary action by Monmouth. Ehling alleged that Monmouth improperly gained access to the post, but the record at the summary judgment stage showed otherwise. Apparently, one of Ehling’s Facebook friends previously worked for the same company as someone else in a supervisory capacity at Monmouth, and passed the photo along, unsolicited. Of Ehling’s amended complaint, two of the six remaining claims were the Stored Communications Act claim and the invasion of privacy claim. These, and the remaining claims, are kicked by the court at summary judgment.
Stored Communications Act: The court first looks at whether the post is covered by the Stored Communications Act at all. After canvasing the case law and legislative history, the court says that it is covered: (1) it’s en electronic communication; (2) the post was transmitted via an electronic communications service; (3) the post is in electronic storage; and (4) finally and most importantly, the post was configured to be “not accessible to the general public.” With respect to this last issue, the court notes:
when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls. Privacy protection provided by the SCA does not depend on the number of Facebook friends that a user has. “Indeed, basing a rule on the number of users who can access information would result in arbitrary line-drawing” and would be generally unworkable. [citing Crispin v. Audigier]
Although the court says that the post is covered by the SCA, the court says that the authorized user exception applies and therefore there is no viable SCA claim. The authorized user exception covers (1) communications that are “authorized” (2) by a user of the service (3) “with respect to a communication . . intended for that user”. Although the court’s analysis is somewhat tortured, the court says that the Ehling’s friend was “authorized” to view the post and that the friend was not coerced in any way to turn over the post to management.
Invasion of privacy: Under New Jersey law, this tort requires a showing of (1) intentional intrusion; (2) that would be offensive to the reasonable person. Here the court says there was no intentional intrusion. The Facebook post was voluntarily turned over:
The evidence does not show that Defendants obtained access to Plaintiff’s Facebook page by, say, logging into her account, logging into another employee’s account, or asking another employee to log into Facebook. Instead, the evidence shows that Defendants were the passive recipients of information that they did not seek out or ask for. Plaintiff voluntarily gave information to her Facebook friend, and her Facebook friend voluntarily gave that information to someone else.
The invasion of privacy claim fails as well.
This is most interesting, as it touches on a variety of interesting topics that are similar to those raised by that old classic Moreno v. Hanford Sentinel, where the court said that republishing a quasi-private letter could be intentional infliction of emotional distress but wasn’t an invasion of privacy. The privacy claim plays out similarly here, although the court relies on the lack of intentional access, rather than saying that the post was not private in the first place.
The court’s conclusion that posts that are set to be accessed only by a group of friends are covered by the Stored Communications Act is not too surprising, but there are not a ton of cases that grapple with this question. The court says that regardless of the number of friends you have, if you configure your privacy settings so that only friends can access certain content, then this information is covered by the SCA. With respect to the issue of whether the co-worker consented to access of his Facebook account, I would think this would relate more to whether the co-worker had a viable claim under the SCA, rather than whether Ehling had a claim (since Ehling’s account was not accessed in any way). In other words, I don’t know that the court even needed to delve into the consent issue—it could have just said that the co-worker was authorized to access the post. End of story. (To my knowledge, the SCA does not contain any provisions relating to wrongful use of information that’s obtained in violation of the statute. Also, most courts have rejected derivative liability under the SCA. See, e.g., Kirch v. Embarq Management.)
Finally, these types of cases always raise the question of whether social media password legislation would cause a different result. I read the statute(s) to apply to an employee’s own account and not create a cause of action on behalf of another individual. But it remains to be seen how cases will play out under these statutes.
Employee privacy remains a minefield of sorts for employer, but this is a clear ruling that use of information voluntarily turned over by a co-worker will not form the basis for a privacy claim.