[Ed. note -- We are pleased today to share with you a blog post by attorney Lindsay Burke of Covington & Burling LLP. This post originally appeared at InsidePrivacy.com.]
A New Jersey federal court recently held that an employee’s Facebook wall posts were protected by the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., in one of the first cases to analyze the SCA’s application to the Facebook wall. Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-3305 (WMJ) (D.N.J. Aug. 20, 2013). An important factor in the court’s ruling was the fact that the employee had configured her privacy settings to restrict her posts to her Facebook “friends.”
The court found that the employer had not violated the SCA by viewing the employee’s wall, however, because a co-worker, who was one of her Facebook friends, showed the post to their employer without any prior prompting by the employer.
This ruling provides further reason for employers to avoid unauthorized access to an employee’s social media activities. The court’s holding is consistent with the passage by 11 states of laws prohibiting employers from demanding social media passwords from employees. But employers that learn of social media activity by employees through passive means may still be able to take action based on that information.
The plaintiff in the case was Deborah Ehling, who was hired by a New Jersey hospital as a registered nurse and paramedic in 2004. She later became president of the union of professional emergency medical services workers in the state. Ehling maintained a Facebook account with approximately 300 friends, including several co-workers, and she set her Facebook privacy settings so that only her friends could see posts on her Facebook wall. None of Ehling’s managers or supervisors at the hospital were her Facebook friends.
In 2009, Ehling posted a statement on her Facebook wall criticizing emergency response paramedics at a shooting at the Holocaust Museum in Washington, D.C., who reportedly saved the life of the shooter. A co-worker who was her “friend” on Facebook printed a screenshot of the post and gave it, unsolicited, to Ehling’s manager, who passed it on to hospital administrators. Ehling was temporarily suspended with pay and warned that her post showed “deliberate disregard for patient safety.” Ehling filed a complaint with the National Labor Relations Board, which found no privacy violation and no unfair labor practice, because the hospital management had not itself accessed or solicited the wall post.
Ehling was later terminated for attendance reasons, and she brought suit alleging invasion of privacy under New Jersey state law as well as violations of the SCA, among other claims.
The SCA was enacted in 1986. Analyzing the application of the SCA to Facebook wall posts, the court found that the posts were subject to the Act: Facebook wall posts are electronic communications (they are made over the internet); transmitted via an electronic communication service (Facebook allows users to send and receive electronic messages to each other through emails and posts); maintained in electronic storage (Facebook archives all old posts and emails); and not accessible to the general public. On the final element, the Court emphasized that the question of “accessibility” to the general public would turn on a user’s privacy settings.
Here, Ehling configured her settings so that her posts were not available for public viewing. The Court noted that its analysis was in accord with another federal court decision, Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010).
Although the wall posts were covered by the SCA, the Court held that the hospital did not violate the SCA by reading Ehling’s post because the “authorized user” exception under the SCA applied to the posts. Ehling’s post was viewed by a co-worker Facebook friend who was authorized to see her posts; he then printed the post and gave it to hospital management unsolicited. The Court therefore dismissed Ehling’s SCA claim.
The judge also ruled against Ehling on her invasion of privacy claim, finding that hospital management was a passive recipient of information. Thus, there was no intentional, offensive intrusion on Ehling’s solitude or seclusion. The court found that Ehling “voluntarily gave information to her Facebook friend, and her Facebook friend voluntarily gave that information to someone else. This may have been a violation of trust, but it was not a violation of privacy.”
Although the hospital prevailed in the suit, the case serves as an important caution to employers against unauthorized access to employees’ social media activities that are not open to the general public.
Lindsay Burke is special counsel in the employment practice group at Covington & Burling LLP in Washington DC, where she advises clients concerning compliance with federal and state employment laws, workplace privacy issues, and employee policies and agreements.